Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'electron.app.JDex' = '%LOCALAPPDATA%\AutoUtilEasyCoreify\JDex.exe'
Malicious functions
Injects code into
the following user processes:
- jdex.exe
Modifies file system
Creates the following files
- %TEMP%\is-4nnwgpyylj.tmp\<File name>.tmp
- %TEMP%\is-1686teh7aw.tmp\_isetup\_setup64.tmp
- %TEMP%\is-1686teh7aw.tmp\chrome_100_percent.pak
- %LOCALAPPDATA%\autoutileasycoreify\chrome_100_percent.pak
- %TEMP%\is-1686teh7aw.tmp\chrome_200_percent.pak
- %LOCALAPPDATA%\autoutileasycoreify\chrome_200_percent.pak
- %TEMP%\is-1686teh7aw.tmp\d3dcompiler_47.dll
- %LOCALAPPDATA%\autoutileasycoreify\d3dcompiler_47.dll
- %TEMP%\is-1686teh7aw.tmp\ffmpeg.dll
- %LOCALAPPDATA%\autoutileasycoreify\ffmpeg.dll
- %TEMP%\is-1686teh7aw.tmp\icudtl.dat
- %LOCALAPPDATA%\autoutileasycoreify\icudtl.dat
- %TEMP%\is-1686teh7aw.tmp\jdex.exe
- %LOCALAPPDATA%\autoutileasycoreify\jdex.exe
- %TEMP%\is-1686teh7aw.tmp\libegl.dll
- %LOCALAPPDATA%\autoutileasycoreify\libegl.dll
- %TEMP%\is-1686teh7aw.tmp\libglesv2.dll
- %LOCALAPPDATA%\autoutileasycoreify\libglesv2.dll
- %TEMP%\is-1686teh7aw.tmp\license.electron.txt
- %LOCALAPPDATA%\autoutileasycoreify\license.electron.txt
- %TEMP%\is-1686teh7aw.tmp\licenses.chromium.html
- %LOCALAPPDATA%\autoutileasycoreify\licenses.chromium.html
- %TEMP%\is-1686teh7aw.tmp\resources.pak
- %LOCALAPPDATA%\autoutileasycoreify\resources.pak
- %TEMP%\is-1686teh7aw.tmp\snapshot_blob.bin
- %LOCALAPPDATA%\autoutileasycoreify\snapshot_blob.bin
- %TEMP%\is-1686teh7aw.tmp\v8_context_snapshot.bin
- %LOCALAPPDATA%\autoutileasycoreify\v8_context_snapshot.bin
- %TEMP%\is-1686teh7aw.tmp\vk_swiftshader.dll
- %LOCALAPPDATA%\autoutileasycoreify\vk_swiftshader.dll
- %TEMP%\is-1686teh7aw.tmp\vk_swiftshader_icd.json
- %LOCALAPPDATA%\autoutileasycoreify\vk_swiftshader_icd.json
- %TEMP%\is-1686teh7aw.tmp\vulkan-1.dll
- %LOCALAPPDATA%\autoutileasycoreify\vulkan-1.dll
- %TEMP%\is-1686teh7aw.tmp\af.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\af.pak
- %TEMP%\is-1686teh7aw.tmp\am.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\am.pak
- %TEMP%\is-1686teh7aw.tmp\ar.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ar.pak
- %TEMP%\is-1686teh7aw.tmp\bg.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\bg.pak
- %TEMP%\is-1686teh7aw.tmp\bn.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\bn.pak
- %TEMP%\is-1686teh7aw.tmp\ca.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ca.pak
- %TEMP%\is-1686teh7aw.tmp\cs.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\cs.pak
- %TEMP%\is-1686teh7aw.tmp\da.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\da.pak
- %TEMP%\is-1686teh7aw.tmp\de.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\de.pak
- %TEMP%\is-1686teh7aw.tmp\el.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\el.pak
- %TEMP%\is-1686teh7aw.tmp\en-gb.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\en-gb.pak
- %TEMP%\is-1686teh7aw.tmp\en-us.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\en-us.pak
- %TEMP%\is-1686teh7aw.tmp\es-419.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\es-419.pak
- %TEMP%\is-1686teh7aw.tmp\es.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\es.pak
- %TEMP%\is-1686teh7aw.tmp\et.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\et.pak
- %TEMP%\is-1686teh7aw.tmp\fa.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\fa.pak
- %TEMP%\is-1686teh7aw.tmp\fi.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\fi.pak
- %TEMP%\is-1686teh7aw.tmp\fil.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\fil.pak
- %TEMP%\is-1686teh7aw.tmp\fr.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\fr.pak
- %TEMP%\is-1686teh7aw.tmp\gu.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\gu.pak
- %TEMP%\is-1686teh7aw.tmp\he.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\he.pak
- %TEMP%\is-1686teh7aw.tmp\hi.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\hi.pak
- %TEMP%\is-1686teh7aw.tmp\hr.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\hr.pak
- %TEMP%\is-1686teh7aw.tmp\hu.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\hu.pak
- %TEMP%\is-1686teh7aw.tmp\id.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\id.pak
- %TEMP%\is-1686teh7aw.tmp\it.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\it.pak
- %TEMP%\is-1686teh7aw.tmp\ja.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ja.pak
- %TEMP%\is-1686teh7aw.tmp\kn.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\kn.pak
- %TEMP%\is-1686teh7aw.tmp\ko.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ko.pak
- %TEMP%\is-1686teh7aw.tmp\lt.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\lt.pak
- %TEMP%\is-1686teh7aw.tmp\lv.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\lv.pak
- %TEMP%\is-1686teh7aw.tmp\ml.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ml.pak
- %TEMP%\is-1686teh7aw.tmp\mr.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\mr.pak
- %TEMP%\is-1686teh7aw.tmp\ms.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ms.pak
- %TEMP%\is-1686teh7aw.tmp\nb.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\nb.pak
- %TEMP%\is-1686teh7aw.tmp\nl.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\nl.pak
- %TEMP%\is-1686teh7aw.tmp\pl.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\pl.pak
- %TEMP%\is-1686teh7aw.tmp\pt-br.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\pt-br.pak
- %TEMP%\is-1686teh7aw.tmp\pt-pt.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\pt-pt.pak
- %TEMP%\is-1686teh7aw.tmp\ro.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ro.pak
- %TEMP%\is-1686teh7aw.tmp\ru.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ru.pak
- %TEMP%\is-1686teh7aw.tmp\sk.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\sk.pak
- %TEMP%\is-1686teh7aw.tmp\sl.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\sl.pak
- %TEMP%\is-1686teh7aw.tmp\sr.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\sr.pak
- %TEMP%\is-1686teh7aw.tmp\sv.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\sv.pak
- %TEMP%\is-1686teh7aw.tmp\sw.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\sw.pak
- %TEMP%\is-1686teh7aw.tmp\ta.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ta.pak
- %TEMP%\is-1686teh7aw.tmp\te.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\te.pak
- %TEMP%\is-1686teh7aw.tmp\th.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\th.pak
- %TEMP%\is-1686teh7aw.tmp\tr.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\tr.pak
- %TEMP%\is-1686teh7aw.tmp\uk.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\uk.pak
- %TEMP%\is-1686teh7aw.tmp\ur.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\ur.pak
- %TEMP%\is-1686teh7aw.tmp\vi.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\vi.pak
- %TEMP%\is-1686teh7aw.tmp\zh-cn.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\zh-cn.pak
- %TEMP%\is-1686teh7aw.tmp\zh-tw.pak
- %LOCALAPPDATA%\autoutileasycoreify\locales\zh-tw.pak
- %TEMP%\is-1686teh7aw.tmp\app-update.yml
- %LOCALAPPDATA%\autoutileasycoreify\resources\app-update.yml
- %TEMP%\is-1686teh7aw.tmp\app.asar
- %LOCALAPPDATA%\autoutileasycoreify\resources\app.asar
- %APPDATA%\setup.txt
- %APPDATA%\jdex\1f2c2666-73a0-4e6b-a082-8ed81f838a5d.tmp
Moves the following files
- from %APPDATA%\jdex\1f2c2666-73a0-4e6b-a082-8ed81f838a5d.tmp to %APPDATA%\jdex\local state
Network activity
Connects to
- 'of####spolicia.com':443
- 'dn#.google':443
TCP
Other
- 'dn#.google':443
UDP
- DNS ASK of####spolicia.com
- DNS ASK dn#.google
Miscellaneous
Creates and executes the following
- '%TEMP%\is-4nnwgpyylj.tmp\<File name>.tmp' /SL5="$701F8,83728075,893952,<Full path to file>"
- '%LOCALAPPDATA%\autoutileasycoreify\jdex.exe'
- '%LOCALAPPDATA%\autoutileasycoreify\jdex.exe' --type=gpu-process --user-data-dir="%APPDATA%\jdex" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAA...
- '%LOCALAPPDATA%\autoutileasycoreify\jdex.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="%APPDATA%\jdex" --mojo-platform-channel-handle=1844 --field-trial-handle...