The provided source material consists of three technical analysis reports from a malware analysis platform. These reports detail the behavior and characteristics of suspicious files executed via the Windows Script Host (wscript.exe). The data focuses on indicators of compromise (IOCs), behavioral analysis, and network activity, specifically identifying two unique indicators labeled "ntice" and "trinka." The analysis reveals patterns consistent with bot communication, anti-analysis techniques, and unauthorized network connections.
Behavioral Indicators and MITRE ATT&CK Techniques
The analysis identifies specific behaviors associated with the execution of wscript.exe. In Source [1], the process wscript.exe (PID: 3868) is observed interacting with KERNEL32.DLL to query system information. Specifically, the process calls GetUserDefaultLCID and GetUserDefaultUILanguage, indicating an attempt to identify the system's locale and user interface language. This behavior aligns with the MITRE ATT&CK technique T1094, which involves the discovery of system information through native APIs.
Source [2] corroborates this finding, listing the ATT&CK ID T1094 and noting that the file contains indicators of bot communication commands. Source [3] also references T1094, specifically mentioning the process "possibly checks for known debuggers/analysis tools." This suggests the scripts are designed to evade automated analysis environments.
File and Process Interactions
The reports detail specific file interactions and mutant creation.
* File Touches: In Source [2], wscript.exe touched files in the Windows directory, specifically %WINDIR%\SysWOW64\en-US\wscript.exe.mui and %WINDIR%\SysWOW64\wscript.exe. Source [3] reports similar activity, touching %WINDIR%\System32\wscript.exe and %WINDIR%\Globalization\Sorting\SortDefault.nls. These actions suggest the malware may be inspecting or modifying system files.
* Mutant Creation: Multiple sources report the creation of a mutant named "\Sessions\1\BaseNamedObjects\Local\InternetShortcutMutex" and its localized variant "Local\InternetShortcutMutex". This synchronization primitive is often used by malware to ensure only a single instance of the process runs or to coordinate activities between threads.
Network Activity and Command and Control (C2) Communication
The analysis highlights unauthorized network connections initiated by the wscript.exe process. These connections are characterized by specific IP addresses, ports, and domains.
Contacted Servers and Domains
- Source [1]: The process contacted the domain
baytk-ksa.comand the server IP148.72.195.188on port 80. - Source [3]: The process contacted the domain
creationzerodechet.comand the server IP46.30.213.209on port 80. Additionally, Source [3] notes that TCP traffic was sent to46.30.213.209on port 80 without an HTTP header, which is a common technique used by malware to bypass network detection or communicate with C2 servers using custom protocols.
Bot Communication Indicators
The presence of "indicators of bot communication commands" is explicitly stated in Source [1], Source [2], and Source [3]. The specific indicators used to flag these behaviors are: * "trinka": Identified in Source [1] and Source [5] (referenced within the text of Source [2] and [3] as a context switch, though the text blocks provided contain the indicator). This string appears in the memory dumps associated with the malicious files. * "ntice": Identified in Source [2] and Source [3]. This string appears in various text blocks within the analyzed samples.
Anti-Analysis and Environment Awareness
The malware demonstrates capabilities designed to detect analysis environments and resist reverse engineering.
- Environment Awareness: Source [1] explicitly lists "Environment Awareness" as a category. The process queries the machine time (
GetSystemTime), machine version (GetVersionEx), and system locale (as noted in the T1094 section). - Debugger Detection: Source [1] notes that the malware "Possibly tries to detect the presence of a debugger." Source [3] expands on this, stating it "Possibly checks for known debuggers/analysis tools."
- Anti-Reverse Engineering: Source [1] lists "Anti-Reverse Engineering" as a category, suggesting the file employs obfuscation or packing techniques to hinder analysis. The presence of "PDB pathways" (specifically
wscript.pdbin Source [1]) indicates that debugging symbols were available, which might be an artifact of the build process or a deliberate attempt to confuse analysts.
Source Reliability and Evaluation
The sources provided are technical reports generated by a malware analysis platform (Hybrid Analysis). These reports are considered reliable for the specific technical data they contain, such as network indicators, file hashes, and behavioral observations.
However, the reliability of the content of the malicious scripts themselves (the text blocks containing the "trinka" and "ntice" indicators) is low regarding their semantic meaning. The text appears to be random or garbled strings (e.g., "albocarbon helicopts uncorrigibly unbearded...") likely generated by a random string generator or used as obfuscation padding. These strings should not be interpreted as meaningful communication but rather as technical signatures for detection.
The network indicators (IPs and domains) are verified observations of traffic and are high-reliability IOCs.
Conclusion
The provided source material describes the behavior of malicious scripts executed via Windows Script Host. The analysis confirms the presence of two distinct indicators, "trinka" and "ntice," associated with bot communication and command execution. The malware exhibits standard evasion techniques, including environment awareness, debugger detection, and anti-reverse engineering measures. It attempts to communicate with external servers using HTTP on non-standard traffic patterns (lacking HTTP headers) and contacts specific domains (baytk-ksa.com and creationzerodechet.com). These indicators and behaviors are critical for identifying and mitigating the threat described in the analysis reports.