Automated Malware Analysis Report for Spoolsv.Exe

ID: 160124 Sample Name: spoolsv.exe Cookbook: default.jbs Time: 10:37:44 Date: 05/08/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report spoolsv.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 System Summary: 6 Data Obfuscation: 7 Boot Survival: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Remote Access Functionality: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 Contacted IPs 11 Static File Info 11 General 11 File Icon 11 Static PE Info 12 General 12 Entrypoint Preview 12 Rich Headers 13 Data Directories 13 Sections 13 Resources 14 Imports 14

Copyright Joe Security LLC 2019 Page 2 of 22 Exports 15 Version Infos 18 Possible Origin 18 Network Behavior 19 Code Manipulations 19 Statistics 19 Behavior 19 System Behavior 19 Analysis Process: cmd.exe PID: 2748 Parent PID: 480 19 General 19 File Activities 20 File Created 20 Analysis Process: conhost.exe PID: 936 Parent PID: 2748 20 General 20 Analysis Process: sc.exe PID: 2400 Parent PID: 2748 20 General 20 File Activities 20 File Written 20 Analysis Process: cmd.exe PID: 4616 Parent PID: 480 20 General 20 File Activities 21 File Created 21 Analysis Process: conhost.exe PID: 1680 Parent PID: 4616 21 General 21 Analysis Process: sc.exe PID: 648 Parent PID: 4616 21 General 21 File Activities 21 File Written 21 Analysis Process: spoolsv.exe PID: 4304 Parent PID: 576 22 General 22 Disassembly 22 Code Analysis 22

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 160124 Start date: 05.08.2019 Start time: 10:37:44 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 52s Hypervisor based Inspection enabled: false Report type: light Sample file name: spoolsv.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Run as Windows Service Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus27.evad.winEXE@9/2@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 69.9%) Quality average: 47.7% Quality standard deviation: 38.1% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, conhost.exe

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 27 0 - 100 false

Confidence

Threshold 2 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Initial sample is a service handler and should be started as service

Sample is a service DLL but no service has been registered Copyright Joe Security LLC 2019 Page 5 of 22 Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Service Modify Existing Process Process Credential System Time Application Data from Local Data Standard Execution 2 Service 2 Injection 1 1 Injection 1 1 Dumping Discovery 1 Deployment System Encrypted 1 Cryptographic Software Protocol 1 Replication Execution New Service 3 New Service 3 DLL Side- Network Peripheral Remote Data from Exfiltration Over Commonly Used Through through API 1 Loading 1 Sniffing Device Services Removable Other Network Port 1 Removable Discovery 1 Media Medium Media Drive-by Windows Accessibility Path Rootkit Input Security Windows Data from Automated Custom Compromise Management Features Interception Capture Software Remote Network Shared Exfiltration Cryptographic Instrumentation Discovery 2 1 Management Drive Protocol Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials System Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Files or in Files Information Communication Application Information Discovery 2

Signature Overview

• Spreading • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality

Click to jump to signature section

Spreading:

Contains functionality to get notified if a device is plugged in / out

System Summary:

Contains functionality to call native functions

Creates mutexes

Detected potential crypto function

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Contains functionality to modify services (start/stop/modify)

Contains functionality to register a service control handler (likely the sample is a service DLL)

PE file has an executable .text section and no other executable section

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

PE file exports many functions

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

Data Obfuscation:

Contains functionality to dynamically determine API calls

Boot Survival:

Contains functionality to start windows services

Uses sc.exe to modify the status of services

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Sample execution stops while process was sleeping (likely an evasion)

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to prevent local Windows debugging

Creates a process in suspended mode (likely to inject code)

Contains functionality to create a new security descriptor

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Contains functionality to query windows version

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Behavior Graph

ID: 160124 DNS/IP Info

Sample: spoolsv.exe Is Dropped Startdate: 05/08/2019 Is Windows Process Architecture: WINDOWS Number of created Registry Values Score: 27 Number of created Files

started started started Visual Basic Delphi

spoolsv.exe cmd.exe cmd.exe Java

.Net C# or VB.NET

2 2 C, C++ or other language Is malicious

Internet

Contains functionality to prevent local Windows started started started started debugging

conhost.exe sc.exe conhost.exe sc.exe

1 1

Simulations

Behavior and APIs

Time Type Description 10:38:55 API Interceptor 1x Sleep call for process: cmd.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link spoolsv.exe 0% virustotal Browse spoolsv.exe 0% metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 cmd.exe (PID: 2748 cmdline: cmd /c sc create JaUye binpath= 'C:\Users\user\Desktop\spoolsv.exe' >> C:\servicereg.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 2400 cmdline: sc create JaUye binpath= 'C:\Users\user\Desktop\spoolsv.exe' MD5: 24A3E2603E63BCB9695A2935D3B24695) cmd.exe (PID: 4616 cmdline: cmd /c sc start JaUye >> C:\servicestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) sc.exe (PID: 648 cmdline: sc start JaUye MD5: 24A3E2603E63BCB9695A2935D3B24695) spoolsv.exe (PID: 4304 cmdline: C:\Users\user\Desktop\spoolsv.exe MD5: 8003D39B386EDCCFB08DC21AACC0683A) cleanup

Created / dropped Files

C:\servicereg.log Process: C:\Windows\SysWOW64\sc.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 28 Entropy (8bit): 3.678439190827718 Encrypted: false MD5: A8F4D690C5BDE96AD275C7D4ABE0E3D3 SHA1: 7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A SHA-256: 596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B SHA-512: A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852

Copyright Joe Security LLC 2019 Page 10 of 22 C:\servicereg.log Malicious: false Reputation: moderate, very likely benign file Preview: [SC] CreateService SUCCESS..

C:\servicestart.log Process: C:\Windows\SysWOW64\sc.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 421 Entropy (8bit): 3.526796176735815 Encrypted: false MD5: 71E0004AB804EF5ADBBE480FC841EA40 SHA1: 98748C3BDCC78612B4C660CD85C902D5AC09D09E SHA-256: FB96FB2E698D07102040B72D27AD9D10A5A485FF7116C77CB372C6173E11B764 SHA-512: 699AB16D33B8E599358F31DD3E7A9407ED256937A1E5F8855F47D318943766F29DADC10AB73E8F297CD5F6787AD8894297E5D8514EE65E715F52A14D8213166D Malicious: false Reputation: low Preview: ..SERVICE_NAME: JaUye .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPAB LE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 4304.. FLAGS : ..

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32+ executable (GUI) x86-64, for MS Windows Entropy (8bit): 5.661735449199465 TrID: Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: spoolsv.exe File size: 559616 MD5: 8003d39b386edccfb08dc21aacc0683a SHA1: a0bb962a6814194033ddd4547cf936b8882c9124 SHA256: 99d6a4dbe810335a69ae3053dc4b6aac267639ad7f9c56 8431fa0714f6e71f30 SHA512: c85e7984e1c3f1c1d0f9db967b0f0ebed0063b76c43a572 22220b2478c2e065a631be16206eda952baa062f3cb9c7 6f60511146a901195cbb3599f29e4677ad3 SSDEEP: 12288:FUKtBou60xz/JPoQWN4f+GncyUPVn0+K3QV:F UKtKu7z/JPf20B/g5hKAV File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... zL#.>-M. >-M.>-M.7U..?-M.7U..+-M.>-L..,M.7U..!-M.7U..U-M.7U.. ?-M.7U..(-M.7U..?-M.7U..?-M.Rich>-M...... P E..d..

File Icon

Static PE Info

General Entrypoint: 0x10000f0a8 Entrypoint Section: .text Digitally signed: false Imagebase: 0x100000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5A499712 [Mon Jan 1 02:04:02 2018 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 1 File Version Major: 6 File Version Minor: 1 Subsystem Version Major: 6 Subsystem Version Minor: 1 Import Hash: da4e8b919c79b0006b49d884c759a957

Entrypoint Preview

Instruction dec eax sub esp, 28h call 00007F07A0BA1C84h dec eax add esp, 28h jmp 00007F07A0BA272Bh nop nop nop nop nop nop nop nop nop dec eax mov dword ptr [esp+08h], esi dec eax mov dword ptr [esp+10h], edi dec esp mov dword ptr [esp+18h], esp inc ecx push ebp dec eax sub esp, 30h dec eax mov eax, dword ptr [00000030h] dec eax mov edi, dword ptr [eax+08h] inc ebp xor esp, esp xor eax, eax dec eax cmpxchg dword ptr [000710A0h], edi jne 00007F07A0BA27ECh mov edi, 00000001h mov eax, dword ptr [0007110Bh] cmp eax, edi je 00007F07A0BA27FBh mov eax, dword ptr [000710FDh] Copyright Joe Security LLC 2019 Page 12 of 22 Instruction

test eax, eax jne 00007F07A0BA2803h mov dword ptr [000710EFh], edi dec esp lea ebp, dword ptr [000672E4h] dec eax lea esi, dword ptr [000672C5h] dec eax mov dword ptr [esp+28h], esi mov dword ptr [esp+20h], eax dec ecx cmp esi, ebp jnc 00007F07A0BA273Fh test eax, eax jne 00007F07A0BA273Bh dec eax mov ecx, dword ptr [esi] dec eax test ecx, ecx je 00007F07A0BA2728h call ecx mov dword ptr [esp+20h], eax dec eax add esi, 08h dec eax mov dword ptr [esp+28h], esi jmp 00007F07A0BA2700h test eax, eax jne 00007F07A0BA27B5h mov eax, dword ptr [000710A8h] cmp eax, edi jne 00007F07A0BA273Fh dec eax lea edx, dword ptr [00067279h]

Rich Headers

Programming Language: [ASM] VS2008 SP1 build 30729 [ C ] VS2008 SP1 build 30729 [LNK] VS2008 SP1 build 30729 [C++] VS2008 SP1 build 30729 [EXP] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x4d7d8 0x1ce8 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0x7b164 0xdc .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x89000 0x810 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x83000 0x588c .pdata IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x8a000 0x2c3c .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x4c2ac 0x38 .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x4d000 0x7d8 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x7ab40 0x180 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Copyright Joe Security LLC 2019 Page 13 of 22 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x4b30c 0x4b400 False 0.464707485465 data 6.28737356434 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x4d000 0x32078 0x32200 False 0.214697630923 data 3.62428193712 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x80000 0x2030 0x1e00 False 0.08984375 data 1.08904638542 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .pdata 0x83000 0x588c 0x5a00 False 0.435763888889 data 5.60991813831 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x89000 0x810 0xa00 False 0.38828125 data 3.80127483417 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0x8a000 0x2c3c 0x2e00 False 0.369055706522 data 5.39493863309 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country MUI 0x89748 0xc8 data English United States RT_VERSION 0x893b0 0x398 data English United States RT_MANIFEST 0x890f0 0x2ba XML 1.0 document, ASCII text, with CRLF line English United States terminators

Imports

DLL Import msvcrt.dll wcsncmp, _lock, __dllonexit, _unlock, ?terminate@@YAXXZ, __set_app_type, _fmode, _commode, __setusermatherr, _amsg_exit, _initterm, exit, _cexit, _exit, _strnicmp, __getmainargs, _purecall, ??3@YAXPEAX@Z, _stricmp, __C_specific_handler, memcpy, _wcsicmp, ??2@YAPEAX_K@Z, memmove, _wcsnicmp, wcsstr, wcschr, towupper, _vsnwprintf, towlower, _onexit, __CxxFrameHandler3, _XcptFilter, memset ntdll.dll RtlIpv4AddressToStringW, NtClose, NtOpenThreadToken, NtSetInformationThread, NtOpenProcessToken, RtlReportException, EtwEventEnabled, TpAllocTimer, TpReleaseIoCompletion, TpAllocIoCompletion, TpAllocWork, TpReleaseTimer, TpSetPoolMinThreads, TpSetWait, TpSetPoolMaxThreads, TpWaitForIoCompletion, TpSimpleTryPost, TpReleaseAlpcCompletion, TpReleaseWork, TpCallbackMayRunLong, RtlNtStatusToDosError, TpReleaseWait, TpWaitForTimer, TpPostWork, TpSetTimer, TpWaitForAlpcCompletion, TpReleasePool, TpWaitForWait, TpStartAsyncIoOperation, TpAllocPool, TpAllocWait, TpWaitForWork, TpAllocAlpcCompletion, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, RtlValidRelativeSecurityDescriptor, EtwEventWrite, EtwUnregisterTraceGuids, EtwRegisterTraceGuidsW, EtwGetTraceLoggerHandle, EtwGetTraceEnableLevel, EtwGetTraceEnableFlags, EtwTraceMessage, WinSqmIsOptedIn, WinSqmAddToStreamEx, WinSqmSetDWORD, WinSqmIncrementDWORD, EtwEventUnregister, EtwEventRegister, RtlIpv6AddressToStringW API-MS-Win-Core-LocalRegistry-L1-1-0.dll RegEnumKeyExW, RegDeleteKeyExW, RegOpenCurrentUser, RegOpenKeyExW, RegSetValueExW, RegSetKeySecurity, RegGetKeySecurity, RegGetValueW, RegQueryInfoKeyW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW, RegEnumValueW, RegCloseKey API-MS-WIN-Service-Core-L1-1-0.dll RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW, SetServiceStatus ADVAPI32.dll RevertToSelf, ImpersonateLoggedOnUser, DuplicateToken, DuplicateTokenEx, SetThreadToken, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, OpenThreadToken, OpenProcessToken, RegDisablePredefinedCache, CopySid, GetLengthSid RPCRT4.dll RpcBindingFree, RpcSmDestroyClientContext, I_RpcBindingInqTransportType, Ndr64AsyncClientCall, NdrClientCall3, RpcBindingFromStringBindingW, I_RpcExceptionFilter, RpcServerUnsubscribeForNotification, RpcServerSubscribeForNotification, RpcAsyncAbortCall, RpcSsContextLockExclusive, RpcStringBindingComposeW, RpcServerTestCancel, RpcStringFreeW, RpcStringBindingParseW, RpcBindingToStringBindingW, RpcBindingVectorFree, RpcEpRegisterW, RpcServerInqBindings, RpcRevertToSelfEx, RpcAsyncCompleteCall, RpcImpersonateClient, RpcRevertToSelf, RpcServerInqBindingHandle, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, Ndr64AsyncServerCallAll, NdrServerCallAll, NdrAsyncServerCall, NdrServerCall2, RpcMgmtSetServerStackSize, RpcServerInqDefaultPrincNameW, RpcServerRegisterAuthInfoW, RpcServerListen, RpcServerUseProtseqEpA, RpcServerUseProtseqW, RpcObjectSetType, RpcServerRegisterIf2, RpcServerRegisterIf

Copyright Joe Security LLC 2019 Page 14 of 22 DLL Import KERNEL32.dll CompareStringW, GetSystemTime, InitializeSRWLock, ReleaseSRWLockShared, AcquireSRWLockShared, AcquireSRWLockExclusive, QueueUserWorkItem, OutputDebugStringW, ReleaseSRWLockExclusive, MoveFileExW, DeleteFileW, lstrcmpiW, GetComputerNameW, WideCharToMultiByte, lstrlenW, LoadLibraryW, GetCurrentThread, LoadLibraryExW, SetErrorMode, SetPriorityClass, HeapDestroy, TlsFree, DisableThreadLibraryCalls, HeapCreate, SetConsoleCtrlHandler, ExitThread, GetLastError, CloseHandle, WaitForSingleObject, GetModuleHandleW, CreateEventW, CreateThread, GetTickCount, ExitProcess, OpenEventW, Sleep, HeapSetInformation, GetProcessHeap, InitializeCriticalSectionAndSpinCount, TlsAlloc, GetVersionExW, LeaveCriticalSection, EnterCriticalSection, SetEvent, SetLastError, TlsSetValue, TlsGetValue, OpenProcess, RaiseException, FreeLibrary, GetProcAddress, LoadLibraryExA, SetUnhandledExceptionFilter, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetThreadpoolTimer, ResetEvent, HeapAlloc, HeapFree, DeleteCriticalSection, LocalFree, DebugBreak, IsDebuggerPresent, AddVectoredExceptionHandler, InitializeCriticalSection, DuplicateHandle, ReadFile, CreateFileW, GetTempFileNameW USER32.dll RegisterDeviceNotificationW, UnregisterDeviceNotification, PeekMessageW, DispatchMessageW, MsgWaitForMultipleObjects, SendNotifyMessageW, TranslateMessage POWRPROF.dll GetPwrCapabilities, PowerDeterminePlatformRole DNSAPI.dll DnsQuery_W, DnsFree

Exports

Name Ordinal Address GetSpoolerTlsIndexes 32 0x10000ad50 PrvAbortPrinter 33 0x10003c870 PrvAddFormW 34 0x100039104 PrvAddJobW 35 0x100040040 PrvAddMonitorW 36 0x10003dc64 PrvAddPerMachineConnectionW 37 0x10003fbec PrvAddPortExW 38 0x10003d918 PrvAddPortW 39 0x10003d9a4 PrvAddPrintProcessorW 40 0x100038d2c PrvAddPrintProvidorW 41 0x10003a178 PrvAddPrinterConnectionW 42 0x100011774 PrvAddPrinterDriverExW 43 0x100038834 PrvAddPrinterDriverW 44 0x1000387b8 PrvAddPrinterExW 45 0x10003b328 PrvAddPrinterW 46 0x10003b740 PrvAdjustPointers 47 0x100033c40 PrvAdjustPointersInStructuresArray 48 0x100033cb4 PrvAlignKMPtr 49 0x10003478c PrvAlignRpcPtr 50 0x100001d24 PrvAllocSplStr 51 0x100001940 PrvAllowRemoteCalls 52 0x1000404ec PrvAppendPrinterNotifyInfoData 53 0x100011c48 PrvBuildOtherNamesFromMachineName 54 0x10000a290 PrvCacheAddName 55 0x100001568 PrvCacheCreateAndAddNode 56 0x10000af2c PrvCacheCreateAndAddNodeWithIPAddresses 57 0x100040910 PrvCacheDeleteNode 58 0x10004093c PrvCacheIsNameCluster 59 0x100040970 PrvCacheIsNameInNodeList 60 0x100040954 PrvCallDrvDevModeConversion 61 0x100035478 PrvCallRouterFindFirstPrinterChangeNotification 62 0x1000379bc PrvCheckLocalCall 63 0x1000015c0 PrvClosePrinter 64 0x1000018b0 PrvClusterSplClose 65 0x10003ddf0 PrvClusterSplIsAlive 66 0x10003dea8 PrvClusterSplOpen 67 0x10003dee4 PrvConfigurePortW 68 0x10003da8c PrvCreatePrinterIC 69 0x10003c960 PrvDeleteFormW 70 0x100039140 PrvDeleteMonitorW 71 0x10003dce0 PrvDeletePerMachineConnectionW 72 0x10003fca0 PrvDeletePortW 73 0x10003db78 PrvDeletePrintProcessorW 74 0x100039218 PrvDeletePrintProvidorW 75 0x10003953c

Copyright Joe Security LLC 2019 Page 15 of 22 Name Ordinal Address PrvDeletePrinter 76 0x10003aec4 PrvDeletePrinterConnectionW 77 0x10003f710 PrvDeletePrinterDataExW 78 0x10003b0e8 PrvDeletePrinterDataW 79 0x10003b0ac PrvDeletePrinterDriverExW 80 0x100038c5c PrvDeletePrinterDriverW 81 0x100038ba0 PrvDeletePrinterIC 82 0x10003ca68 PrvDeletePrinterKeyW 83 0x10003b124 PrvDllAllocSplMem 84 0x1000011c0 PrvDllAllocSplStr 85 0x100001950 PrvDllFreeSplMem 86 0x1000011a0 PrvDllFreeSplStr 87 0x10000172c PrvDllReallocSplMem 88 0x10000b1e0 PrvDllReallocSplStr 89 0x10003480c PrvEndDocPrinter 90 0x10003c924 PrvEndPagePrinter 91 0x10003c834 PrvEnumFormsW 92 0x1000112bc PrvEnumJobsW 93 0x10003fe0c PrvEnumMonitorsW 94 0x10003d6b4 PrvEnumPerMachineConnectionsW 95 0x100008284 PrvEnumPortsW 96 0x10003d3e0 PrvEnumPrintProcessorDatatypesW 97 0x100039034 PrvEnumPrintProcessorsW 98 0x100038e00 PrvEnumPrinterDataExW 99 0x10003b018 PrvEnumPrinterDataW 100 0x10003afa0 PrvEnumPrinterDriversW 101 0x10000b554 PrvEnumPrinterKeyW 102 0x10003b068 PrvEnumPrintersW 103 0x100002a9c PrvFindClosePrinterChangeNotification 104 0x100012660 PrvFlushPrinter 105 0x10003c7e8 PrvFormatPrinterForRegistryKey 106 0x100011b70 PrvFormatRegistryKeyForPrinter 107 0x10003b99c PrvFreeOtherNames 108 0x100034c00 PrvGetFormW 109 0x10003917c PrvGetJobAttributes 110 0x10003a4f8 PrvGetJobAttributesEx 111 0x10003a294 PrvGetJobW 112 0x10003fdb0 PrvGetNetworkId 113 0x100040cd4 PrvGetPrintProcessorDirectoryW 114 0x100038f24 PrvGetPrinterDataExW 115 0x10003af44 PrvGetPrinterDataW 116 0x100004650 PrvGetPrinterDriverDirectoryW 117 0x100038a9c PrvGetPrinterDriverExW 118 0x100010720 PrvGetPrinterDriverW 119 0x100039880 PrvGetPrinterW 120 0x100010cbc PrvGetServerPolicy 121 0x10000cf78 PrvGetShrinkedSize 122 0x100001ef0 PrvGetSpoolerTlsIndexes 123 0x10000ad50 PrvImpersonatePrinterClient 124 0x100004418 PrvInitializeRouter 125 0x100009fe4 PrvIsNameTheLocalMachineOrAClusterSpooler 126 0x100011740 PrvIsNamedPipeRpcCall 127 0x100034bb4 PrvMIDL_user_allocate 128 0x1000023fc PrvMIDL_user_allocate1 129 0x1000023fc PrvMIDL_user_free 130 0x100002408 PrvMIDL_user_free1 131 0x100002408 PrvMarshallDownStructure 132 0x1000106b0 PrvMarshallDownStructuresArray 133 0x100002014 PrvMarshallUpStructure 134 0x1000339f8 PrvMarshallUpStructuresArray 135 0x100033d28 PrvOldGetPrinterDriverW 136 0x1000397e4 PrvOpenPrinter2W 137 0x100003c20 PrvOpenPrinterExW 1 0x1000025e0 PrvOpenPrinterPort2W 138 0x10003b9e8

Copyright Joe Security LLC 2019 Page 16 of 22 Name Ordinal Address PrvOpenPrinterW 139 0x10003ba64 PrvPackStrings 2 0x1000014a0 PrvPartialReplyPrinterChangeNotification 140 0x100038570 PrvPlayGdiScriptOnPrinterIC 141 0x10003ca1c PrvPrinterHandleRundown 142 0x1000135e0 PrvPrinterMessageBoxW 143 0x10003cab8 PrvProvidorFindClosePrinterChangeNotification 144 0x100036ab0 PrvProvidorFindFirstPrinterChangeNotification 145 0x1000369f8 PrvReadPrinter 146 0x10003c8ac PrvReallocSplMem 147 0x10000b1d0 PrvReallocSplStr 148 0x10003485c PrvRemoteFindFirstPrinterChangeNotification 149 0x100036e0c PrvReplyClosePrinter 150 0x10003780c PrvReplyOpenPrinter 151 0x1000376d8 PrvReplyPrinterChangeNotification 152 0x1000383c8 PrvReplyPrinterChangeNotificationEx 153 0x1000383f4 PrvReportJobProcessingProgress 154 0x10003fd38 PrvResetPrinterW 155 0x100013778 PrvRevertToPrinterSelf 156 0x1000043b0 PrvRouterAddPrinterConnection2 157 0x10003fa48 PrvRouterAllocBidiMem 158 0x1000023fc PrvRouterAllocBidiResponseContainer 159 0x100034de0 PrvRouterAllocPrinterNotifyInfo 160 0x100012580 PrvRouterBroadcastMessage 161 0x100008e04 PrvRouterCorePrinterDriverInstalled 3 0x100039b2c PrvRouterCreatePrintAsyncNotificationChannel 4 0x10004021c PrvRouterDeletePrinterDriverPackage 5 0x100039cf0 PrvRouterFindCompatibleDriver 162 0x100039d7c PrvRouterFindFirstPrinterChangeNotification 163 0x100011ea4 PrvRouterFindNextPrinterChangeNotification 164 0x1000121fc PrvRouterFreeBidiMem 165 0x100002408 PrvRouterFreeBidiResponseContainer 166 0x100034e14 PrvRouterFreePrinterNotifyInfo 167 0x1000382b4 PrvRouterGetCorePrinterDrivers 6 0x100039a7c PrvRouterGetPrintClassObject 7 0x10000c1f0 PrvRouterGetPrinterDriverPackagePath 8 0x100039c00 PrvRouterInstallPrinterDriverFromPackage 9 0x100039934 PrvRouterInternalGetPrinterDriver 168 0x1000389cc PrvRouterRefreshPrinterChangeNotification 169 0x10001230c PrvRouterRegisterForPrintAsyncNotifications 10 0x10000c0fc PrvRouterReplyPrinter 170 0x10003743c PrvRouterSpoolerSetPolicy 171 0x10003ad18 PrvRouterUnregisterForPrintAsyncNotifications 11 0x100040370 PrvRouterUploadPrinterDriverPackage 12 0x1000399d0 PrvScheduleJob 172 0x1000401e0 PrvSeekPrinter 173 0x10003c794 PrvSendRecvBidiData 174 0x10003cb00 PrvSetFormW 175 0x1000391dc PrvSetJobW 176 0x10003fd70 PrvSetPortW 177 0x10003dd5c PrvSetPrinterDataExW 178 0x10003b1a4 PrvSetPrinterDataW 179 0x10003b160 PrvSetPrinterW 180 0x10003b75c PrvSplCloseSpoolFileHandle 181 0x10003c430 PrvSplCommitSpoolData 182 0x10003c244 PrvSplDriverUnloadComplete 183 0x10003b2ec PrvSplGetClientUserHandle 184 0x1000019d4 PrvSplGetSpoolFileInfo 185 0x10003c4ec PrvSplGetUserSidStringFromToken 186 0x1000085c0 PrvSplInitializeWinSpoolDrv 187 0x10000cd40 PrvSplIsSessionZero 188 0x10003cbd8 PrvSplIsUpgrade 189 0x1000044e8 PrvSplPowerEvent 190 0x1000130c0 PrvSplProcessPnPEvent 191 0x100036250

Copyright Joe Security LLC 2019 Page 17 of 22 Name Ordinal Address PrvSplProcessSessionEvent 192 0x100001310 PrvSplPromptUIInUsersSession 193 0x10003cb38 PrvSplQueryUserInfo 194 0x100008700 PrvSplReadPrinter 195 0x10003c8e8 PrvSplRegisterForDeviceEvents 196 0x10003608c PrvSplRegisterForSessionEvents 197 0x10000bf28 PrvSplShutDownRouter 198 0x1000345c4 PrvSplUnregisterForDeviceEvents 199 0x100036000 PrvSplUnregisterForSessionEvents 200 0x100036534 PrvSpoolerFindClosePrinterChangeNotification 201 0x100037020 PrvSpoolerFindFirstPrinterChangeNotification 202 0x100036f70 PrvSpoolerFindNextPrinterChangeNotification 203 0x100036ddc PrvSpoolerFreePrinterNotifyInfo 204 0x100036ad4 PrvSpoolerHasInitialized 205 0x100034650 PrvSpoolerInit 206 0x100005944 PrvSpoolerRefreshPrinterChangeNotification 207 0x100036ac8 PrvStartDocPrinterW 208 0x10003d180 PrvStartPagePrinter 209 0x10003bb74 PrvUndoAlignKMPtr 210 0x1000347e4 PrvUndoAlignRpcPtr 211 0x100001d48 PrvUpdateBufferSize 212 0x100033d6c PrvUpdatePrinterRegAll 213 0x100040800 PrvUpdatePrinterRegUser 214 0x100040554 PrvWaitForPrinterChange 215 0x10003b1f0 PrvWaitForSpoolerInitialization 216 0x100001174 PrvWritePrinter 217 0x10003c754 PrvXcvDataW 218 0x1000398cc PrvbGetDevModePerUser 219 0x100002300 PrvbSetDevModePerUser 220 0x1000412a0 ServerGetPrintClassObject 13 0x100025454 YAbortPrinter 14 0x10002392c YAddJob 15 0x100023b9c YDriverUnloadComplete 16 0x100020630 YEndDocPrinter 17 0x100023b14 YEndPagePrinter 18 0x1000238a4 YFlushPrinter 19 0x1000237ec YGetPrinter 20 0x100010ee0 YGetPrinterDriver2 21 0x1000108e4 YGetPrinterDriverDirectory 22 0x100022b38 YReadPrinter 23 0x1000239b4 YSeekPrinter 24 0x100023738 YSetJob 25 0x100021770 YSetPort 26 0x1000206d8 YSetPrinter 27 0x100022040 YSplReadPrinter 28 0x100023a68 YStartDocPrinter 29 0x100023490 YStartPagePrinter 30 0x100023600 YWritePrinter 31 0x100023688

Version Infos

Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName spoolsv.exe FileVersion 6.1.7601.24000 (win7sp1_ldr.171231-1547) CompanyName Microsoft Corporation ProductName Microsoft Windows Operating System ProductVersion 6.1.7601.24000 FileDescription Spooler SubSystem App OriginalFilename spoolsv.exe Translation 0x0409 0x04b0

Possible Origin

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• cmd.exe • conhost.exe • sc.exe • cmd.exe • conhost.exe • sc.exe • spoolsv.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 2748 Parent PID: 480

General

Start time: 10:38:51 Start date: 05/08/2019 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /c sc create JaUye binpath= 'C:\Users\user\Desktop\spoolsv.exe' >> C:\servicereg.log 2 >&1 Imagebase: 0x980000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\servicereg.log read attributes | normal synchronous io success or wait 1 98D194 CreateFileW synchronize | non alert | non generic write directory file

Analysis Process: conhost.exe PID: 936 Parent PID: 2748

General

Start time: 10:38:51 Start date: 05/08/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff6f5a70000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: sc.exe PID: 2400 Parent PID: 2748

General

Start time: 10:38:52 Start date: 05/08/2019 Path: C:\Windows\SysWOW64\sc.exe Wow64 process (32bit): true Commandline: sc create JaUye binpath= 'C:\Users\user\Desktop\spoolsv.exe' Imagebase: 0x70000 File size: 60928 bytes MD5 hash: 24A3E2603E63BCB9695A2935D3B24695 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\servicereg.log unknown 28 5b 53 43 5d 20 43 72 [SC] CreateService success or wait 1 7B97A WriteFile 65 61 74 65 53 65 72 SUCCESS.. 76 69 63 65 20 53 55 43 43 45 53 53 0d 0a

Analysis Process: cmd.exe PID: 4616 Parent PID: 480

General

Copyright Joe Security LLC 2019 Page 20 of 22 Start time: 10:38:54 Start date: 05/08/2019 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /c sc start JaUye >> C:\servicestart.log 2>&1 Imagebase: 0x980000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\servicestart.log read attributes | normal synchronous io success or wait 1 98D194 CreateFileW synchronize | non alert | non generic write directory file

Analysis Process: conhost.exe PID: 1680 Parent PID: 4616

General

Start time: 10:38:54 Start date: 05/08/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff6f5a70000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: sc.exe PID: 648 Parent PID: 4616

General

Start time: 10:38:54 Start date: 05/08/2019 Path: C:\Windows\SysWOW64\sc.exe Wow64 process (32bit): true Commandline: sc start JaUye Imagebase: 0x70000 File size: 60928 bytes MD5 hash: 24A3E2603E63BCB9695A2935D3B24695 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Copyright Joe Security LLC 2019 Page 21 of 22 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\servicestart.log unknown 421 0d 0a 53 45 52 56 49 ..SERVICE_NAME: JaUye success or wait 1 75C54 WriteFile 43 45 5f 4e 41 4d 45 .. TYPE : 10 3a 20 4a 61 55 79 65 WIN32_OWN_PROCESS 20 0d 0a 20 20 20 20 .. STATE : 2 20 20 20 20 54 59 50 START_PENDING .. 45 20 20 20 20 20 20 (NOT_STOPPABLE, 20 20 20 20 20 20 20 NOT_PAUSABLE, 20 20 3a 20 31 30 20 IGNORES_SHUTDOWN).. 20 57 49 4e 33 32 5f 4f WIN32_EXIT_CODE 57 4e 5f 50 52 4f 43 45 : 0 (0x0).. S 53 53 20 20 0d 0a 20 20 20 20 20 20 20 20 53 54 41 54 45 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3a 20 32 20 20 53 54 41 52 54 5f 50 45 4e 44 49 4e 47 20 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 28 4e 4f 54 5f 53 54 4f 50 50 41 42 4c 45 2c 20 4e 4f 54 5f 50 41 55 53 41 42 4c 45 2c 20 49 47 4e 4f 52 45 53 5f 53 48 55 54 44 4f 57 4e 29 0d 0a 20 20 20 20 20 20 20 20 57 49 4e 33 32 5f 45 58 49 54 5f 43 4f 44 45 20 20 20 20 3a 20 30 20 20 28 30 78 30 29 0d 0a 20 20 20 20 20 20 20 20 53

Analysis Process: spoolsv.exe PID: 4304 Parent PID: 576

General

Start time: 10:38:55 Start date: 05/08/2019 Path: C:\Users\user\Desktop\spoolsv.exe Wow64 process (32bit): false Commandline: C:\Users\user\Desktop\spoolsv.exe Imagebase: 0x7ff6d35b0000 File size: 559616 bytes MD5 hash: 8003D39B386EDCCFB08DC21AACC0683A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Disassembly

Code Analysis