One of my friends has recently found malicious activity on his device. He hasn't lost anything monetary yet, but he has been getting password recovery requests sent to his email from all the various sites on which he uses his email to login. My friend has changed all his passwords and backup his data, and I have cutoff the device's network access and lent him one of my own machines.
I would like to study the extent to which his device has been compromised and what his computer has done on behalf of the attacker.
With some work I was able to find what looks like a Java Generic RAT, and was able to track what site he downloaded the RAT from. Based on the trojan's download date, I can deduce for how long the trojan has been active. The RAT has installed a keylogger and mouselogger on his device, and some of the keylogs and mouselogs are still stored in files on the device. They logs were sent via a simple HTTP connection to the attacker. I assume these have already been compromised, and there could be even more keylogs that were automatically deleted by the logger after being received by the attacker.
My questions are the following:
Is there any way in Windows to determine a list of all executables/jars/commands that were issued from the time the trojan was downloaded to the time we disabled it? I would like to see exactly what was done on the machine on behalf of the Trojan. I could also do this by examining the trojan's source code more carefully, but this would be a time-consuming process, especially because of how well obfuscated the trojan is.
Is there a way to view the raw HTTP packets that were downloaded/uploaded on behalf of this Trojan during its activity? If these packets happen to be unencrypted, then I should be able to use these to figure out exactly what has been compromised. Does Windows/JVM store this sort of thing somewhere?
