Hit with ransomware cleared, trojan like activity remains.

A customer of mine with a Windows 2016 Server got a ransomware infection this Monday.  Turned out to be the Xorist.  I got the Emsisoft decrypter tool and ran it with success and then decrypted all the files on the server.  

With that part done, scanned the machine with Webroot (installed, don't know how it didn't detect this) windows defender, sophos second opinion, TDDSKiller,  superantispyware  and malwarebytes.  a trojan was found in a zip file that was in a profile that was created by an external source.

I went through all my usual programs to look for anything further (process explorer, tcpview, netstat etc but when it got to process monitor i narrowed a lot of network traffic coming from the lsass.exe process, and it was going to random IP's (gamertalk.com.br)
snapshot of the process monitor
I could not get this traffic to subside, and it eventually crashed the server after 6-8 hours.

I took away the servers DNS settings as well as the gateway setting and this continued to flow in process monitor.

Am I reading this program incorrectly?
How else can I go about trying to find what is making this traffic?

Thank you.
LVL 1
Jason IveyLevel 3 TechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James BunchSystems EngineerCommented:
A couple of notes that may be helpful.

1. In your Malwarebytes, did you do a quick scan or customer scan? Always run a custom scan if you know or think something is up and elect to include root kit scanning when selecting the partition/drives to scan. Increases time to complete but helps with detection.

2. Use CCleaner by Piriform. Run a cleaner for registry, check the programs to see if anything weird shows up in installed. Also check with the scheduled tasks to see if anything looks weird. Typicall a string of numbers and letters not legible is no bueno. Can also check web browsers for extensions/add-ins that are bad juju.

3. If you are not certain about the traffic use the all powerful Wireshark program. Free and amazing to track traffic to ports and files that show the traffic. Its a great tool to have and use for a lot of reasons other than hunting a problem.
0
Jason IveyLevel 3 TechAuthor Commented:
I ran a full scan from Malwarebytes.  I am not sure if rootkit detection was on, will rescan.

I am not familiar enough with Wireshark, but I have heard of its power, just never got enough time to sit down and learn how to use it.

Ill get back to you on the rootkit scan.

Thanks
0
James BunchSystems EngineerCommented:
The rootkit scan is a great way to find underlying stuff that has the normal facades. CCleaner combo with this scan typically cures my ailements on client devices.

Wireshark is super simple to pick up and use (A little tough to master). But you can isolate a port specifically and trace that network traffic back to the file using it or even the remote machine on the LAN and then down to the file. Its most definitely a great tool to start using in your situation. Good luck!
0
btanExec ConsultantCommented:
Better to rebuild machine that was infected. Manual cleaning is not assuring.

Isolate the machine. Change the login credentials for the administrators. You may want to check the mapped drives and see if the Ransomware notes are existence.

Can try send the Trojan zip to Virustotal to see any other AV detect it and also see the other artefact it creates which maybe more than the callback. https://www.virustotal.com

You should also check the firewall and Internet gateway on traffic surge from this server and block any outgoing calls.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason IveyLevel 3 TechAuthor Commented:
It's the best logical answer to not risk trying to clean.   The trojan was detected by 1/2 of the scanners at virus total and most identified the gen.trojan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.