svchost.exe multiple outgoing UDP connections

Question

Hi,

Need help with one thing that was found on several machines, all machines were scanned with all AV that we could find, all the .dll and .exe files related were scanned also and nothing was found. We have svchost.exe sending many(100-1000) UDP packets per hour to different IPs all over the world on ports 50000-65000

We found that this activity is going from IP Helper(iphlpsvc) and looks like is related to UnistackSvcGroup processes, process explorer shows these. When the machine boots we see this activity but when we stop/start the IP helper service it stops.

from procmon

from process explorer

from registry

Any ideas about what can it be?

Answer 1

This could just be Windows making various requests as it runs. Everything has to get through the firewall though so go to your firewall settings and verify only your trusted apps can make UDP calls. Without looking at the actual packets (maybe use Fiddler or Wireshark to see the network packets) it would be hard to say what these requests are from. You could block them via the firewall but they may be important to Windows so I'd identify what they are sending first.

Answer 2

If you can help with this here are the packets.

No. Time Source Destination Protocol Length Info
27607 158.219684 192.168.102.111 152.26.55.191 UDP 94 50123 → 57259 Len=52

Frame 27607: 94 bytes on wire (752 bits), 94 bytes captured (752 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Sep 21, 2022 11:27:40.808589000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1663774060.808589000 seconds
[Time delta from previous captured frame: 0.000270000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 158.219684000 seconds]
Frame Number: 27607
Frame Length: 94 bytes (752 bits)
Capture Length: 94 bytes (752 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:data]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5), Dst: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Destination: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Address: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5)
Address: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.102.111, Dst: 152.26.55.191
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 80
Identification: 0x654b (25931)
Flags: 0x00
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: UDP (17)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.102.111
Destination Address: 152.26.55.191
User Datagram Protocol, Src Port: 50123, Dst Port: 57259
Source Port: 50123
Destination Port: 57259
Length: 60
Checksum: 0xf73e [unverified]
[Checksum Status: Unverified]
[Stream index: 1329]
[Timestamps]
[Time since first frame: 0.000000000 seconds]
[Time since previous frame: 0.000000000 seconds]
UDP payload (52 bytes)
Data (52 bytes)

0000 60 00 00 00 00 00 3b 15 20 01 00 00 28 41 f6 34 `.....;. ...(A.4
0010 2c ea 3c 34 cd 31 3c 5d 20 01 00 00 34 e4 6f 7e ,.<4.1<] ...4.o~
0020 3c 5a 20 54 67 e5 c8 40 01 04 70 9c 2a eb 04 04 <Z Tg..@..p.*...
0030 01 00 00 00 ....
Data: 6000000000003b15200100002841f6342cea3c34cd313c5d2001000034e46f7e3c5a2054…
[Length: 52]

No. Time Source Destination Protocol Length Info
27630 158.304724 192.168.102.111 152.26.55.191 UDP 114 50123 → 57259 Len=72

Frame 27630: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Sep 21, 2022 11:27:40.893629000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1663774060.893629000 seconds
[Time delta from previous captured frame: 0.000720000 seconds]
[Time delta from previous displayed frame: 0.085040000 seconds]
[Time since reference or first frame: 158.304724000 seconds]
Frame Number: 27630
Frame Length: 114 bytes (912 bits)
Capture Length: 114 bytes (912 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:data]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5), Dst: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Destination: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Address: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5)
Address: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.102.111, Dst: 152.26.55.191
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 100
Identification: 0x654c (25932)
Flags: 0x00
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: UDP (17)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.102.111
Destination Address: 152.26.55.191
User Datagram Protocol, Src Port: 50123, Dst Port: 57259
Source Port: 50123
Destination Port: 57259
Length: 80
Checksum: 0xf752 [unverified]
[Checksum Status: Unverified]
[Stream index: 1329]
[Timestamps]
[Time since first frame: 0.085040000 seconds]
[Time since previous frame: 0.000720000 seconds]
UDP payload (72 bytes)
Data (72 bytes)

0000 60 04 f6 3b 00 20 06 80 20 01 00 00 28 41 f6 34 `..;. .. ...(A.4
0010 2c ea 3c 34 cd 31 3c 5d 20 01 00 00 34 e4 6f 7e ,.<4.1<] ...4.o~
0020 3c 5a 20 54 67 e5 c8 40 1e 00 c2 73 c6 9a 47 90 <Z Tg..@...s..G.
0030 9e ee e3 00 80 12 ff ff fd 05 00 00 02 04 04 c4 ................
0040 01 03 03 08 01 01 04 02 ........
Data: 6004f63b00200680200100002841f6342cea3c34cd313c5d2001000034e46f7e3c5a2054…
[Length: 72]

No. Time Source Destination Protocol Length Info
27675 158.388536 192.168.102.111 152.26.55.191 UDP 177 50123 → 57259 Len=135

Frame 27675: 177 bytes on wire (1416 bits), 177 bytes captured (1416 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Sep 21, 2022 11:27:40.977441000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1663774060.977441000 seconds
[Time delta from previous captured frame: 0.000908000 seconds]
[Time delta from previous displayed frame: 0.083812000 seconds]
[Time since reference or first frame: 158.388536000 seconds]
Frame Number: 27675
Frame Length: 177 bytes (1416 bits)
Capture Length: 177 bytes (1416 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:data]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5), Dst: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Destination: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
Address: Tecnomen_11:08:e6 (00:e0:20:11:08:e6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5)
Address: Dell_b1:d7:b5 (8c:ec:4b:b1:d7:b5)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.102.111, Dst: 152.26.55.191
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 163
Identification: 0x654d (25933)
Flags: 0x00
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: UDP (17)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.102.111
Destination Address: 152.26.55.191
User Datagram Protocol, Src Port: 50123, Dst Port: 57259
Source Port: 50123
Destination Port: 57259
Length: 143
Checksum: 0xf791 [unverified]
[Checksum Status: Unverified]
[Stream index: 1329]
[Timestamps]
[Time since first frame: 0.168852000 seconds]
[Time since previous frame: 0.000908000 seconds]
UDP payload (135 bytes)
Data (135 bytes)

0000 60 04 f6 3b 00 5f 06 80 20 01 00 00 28 41 f6 34 `..;._.. ...(A.4
0010 2c ea 3c 34 cd 31 3c 5d 20 01 00 00 34 e4 6f 7e ,.<4.1<] ...4.o~
0020 3c 5a 20 54 67 e5 c8 40 1e 00 c2 73 c6 9a 47 91 <Z Tg..@...s..G.
0030 9e ee e3 4b 50 18 01 01 a0 f5 00 00 0e 53 77 61 ...KP........Swa
0040 72 6d 20 70 72 6f 74 6f 63 6f 6c 00 00 00 00 00 rm protocol.....
0050 10 00 00 ed 59 58 29 46 98 0f 64 d6 67 d3 48 f7 ....YX)F..d.g.H.
0060 9d 34 54 2b 61 5a 75 45 95 2d 90 d9 2e 5a 82 4b .4T+aZuE.-...Z.K
0070 b0 bf ee cd 98 95 a9 7b df fb 46 a5 a6 36 bd 4c .......{..F..6.L
0080 c2 c6 bd 00 00 00 00 .......
Data: 6004f63b005f0680200100002841f6342cea3c34cd313c5d2001000034e46f7e3c5a2054…
[Length: 135]

243542-expor5.txt