Trojan:Win32/Alevaul

Trojan:Win32/Alevaul compromises a device as a malicious HTML file with a precise file size of 10,525 bytes. The code within this file is not encrypted, making it accessible for analysis, but it employs obfuscation techniques to hinder readability and detection. The attack sequence begins when this file runs, which then displays a decoy interface resembling a legitimate document to mask its malicious intent. This action triggers the launch of a PowerShell process that is configured to run hidden from the user. The specific command-line parameters used are "-w hidden -nop -noni -exec bypass -c", which ensures the window remains invisible, bypasses the Windows launch policy, does not load user profiles, and operates in a non-interactive mode. 

The core function of this PowerShell script is to download additional malicious payloads. It instantiates a System.Net.WebClient object to manage HTTP communication. To blend in with normal traffic, the script appends a custom User-Agent header, 'Ds26GOZNxbTxlJY', to its web requests. It connects to the specific, hard-coded URL https://limes.life/api/values/uid to retrieve the next-stage payload. The binary data obtained from this server is then converted into a UTF-8 encoded string and saved directly to the local file system. The chosen location for this file is C:\Users\Public\Documents\UpdateOfficeCore.vbs, a path selected for its accessibility across all user profiles on the compromised machine. 

To ensure it survives a Windows reboot, the malware establishes persistence by creating a scheduled task. This is achieved by launching the command schtasks /create /tn ExplorerCoreUpdateTaskMachine /tr "C:\Users\Public\Documents\UpdateOfficeCore.vbs" /sc minute /mo 3 /f. This command creates a task named ExplorerCoreUpdateTaskMachine that is set to trigger every three minutes and run the VBScript file. The /f flag forces the task to be created, overwriting any pre-existing task with the identical name. The creation of this task results in modifications to the Windows Registry, specifically generating a new key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ExplorerCoreUpdateTaskMachine. A corresponding entry, containing a unique GUID and the task's specific configuration data, is also created under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks. 

Beyond these core activities, Alevaul exhibits a limited scope of operation. It does not possess self-replication routines, data exfiltration capabilities, rootkit functionality to hide itself, or a backdoor communication module. Its operation is primarily memory-resident within the PowerShell process, and it does not attempt to exploit software vulnerabilities. Alevaul’s design is focused on downloading and executing remote scripts, making its persistence dependent on the scheduled task and the VBS file. Therefore, removing the ExplorerCoreUpdateTaskMachine task and deleting the UpdateOfficeCore.vbs file effectively halts the infection chain.