home

down.job391.com

zenglingbai

Domain Information

The domain down.job391.com registered by zenglingbai was initially registered in October of 2013 through ENAME TECHNOLOGY CO., LTD.. This domain has been known to host and distribute adware as well as other potentially unwanted software. The hosted servers are located in Zhuhai, Guangdong within China which resides on the Asia Pacific Network Information Centre network.
Registrar:
ENAME TECHNOLOGY CO., LTD.

Server location:
Guangdong, China (CN)

Create date:
Tuesday, October 15, 2013

Expires date:
Saturday, October 15, 2016

Updated date:
Wednesday, September 16, 2015

ASN:
AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN

Root domain:
job391.com

Whois:
2 job391.com records

Scanner detections:
Detections  (90% detected)

Scan engine
Details
Detections

Vba32 AntiVirus
Malware-Cryptor.Inject.gen, suspected of Trojan.Downloader.gen.h
100.00%

Clam AntiVirus
Win.Trojan.691128
90.00%

Kaspersky
HEUR:Trojan.Win32.Invader
90.00%

NANO AntiVirus
Riskware.Win32.ShouQu.dmnfjx
90.00%

McAfee
Artemis!75BCAA7F6A9D, Artemis!97FC48B62EE0, Artemis!2EC54109AED8, Artemis!EBF252815313, Artemis!7E184AAA7402, Artemis!F2E95AA54DCC
90.00%

Fortinet FortiGate
W32/Generic.AC.18053
90.00%

Baidu Antivirus
Trojan.Win32.Invader, Hacktool.Win32.NSISmod
60.00%

ESET NOD32
Win32/Packed.NSISmod.A suspicious (variant)
60.00%

avast!
Win32:Malware-gen
50.00%

Dr.Web
Trojan.KillFiles.28526
40.00%

IKARUS anti.virus
PUA.NSISmod, Trojan.Win32.FlyStudio
40.00%

VIPRE Antivirus
Trojan.Win32.Generic
40.00%

Sophos
Generic PUA LK (PUA), Generic PUA CO (PUA), Generic PUA JL (PUA)
40.00%

Trend Micro House Call
Suspicious_GEN.F47V0509, Suspicious_GEN.F47V0424, Suspicious_GEN.F47V0521
30.00%

Comodo Security
TrojWare.Win32.Agent.OSCF, UnclassifiedMalware
30.00%

The domain down.job391.com has been seen to resolve to the following 18 IP addresses.

125.88.65.249
August 12, 2015

183.57.148.246
August 12, 2015

123.130.123.6
July 1, 2015

119.188.138.29
July 1, 2015

119.188.138.24
July 1, 2015

27.195.146.10
July 1, 2015

221.204.171.42
42.171.204.221.adsl-pool.sx.cn
July 1, 2015

221.204.23.18
18.23.204.221.adsl-pool.sx.cn
July 1, 2015

221.204.23.16
16.23.204.221.adsl-pool.sx.cn
July 1, 2015

222.163.198.56
56.198.163.222.adsl-pool.jlccptt.net.cn
June 18, 2015

36.250.90.5
June 18, 2015

58.20.132.56
June 18, 2015

218.58.209.106
June 18, 2015

218.60.108.135
cncln.online.ln.cn
June 18, 2015

183.95.152.2
June 18, 2015

112.90.148.14
relaymail.org
June 18, 2015

222.161.224.25
25.224.161.222.adsl-pool.jlccptt.net.cn
May 15, 2015

218.24.17.40
May 15, 2015

File downloads found at URLs served by down.job391.com.

7 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF81MXp0emouY29tLmV4ZQ==  (setup_cncrk.com.exe)

12 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9zbS16eS0yLmV4ZQ==  (setup_xp85.com.exe)

9 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9uZXdhc3AubmV0LmV4ZQ==  (setup_xigua110.com.exe)

18 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF91cGFudG9vbC5jb20uZXhl  (setup_ali213.net.exe)

9 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF94aWd1YTExMC5jb20uZXhl  (setup_xigua110.com.exe)

18 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9hNjcuY29tLmV4ZQ=  (setup_ali213.net.exe)

12 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9keWRoLnR2LmV4ZQ==  (setup_xp85.com.exe)

20 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF94aWd1YTExMC5jb20uZXhl  (setup_xigua110.com.exe)

8 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9xdWFuamkuY29tLmV4ZQ==  (setup_upan.cc.exe)

12 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF94aWd1YTExMC5jb20uZXhl  (setup_xp85.com.exe)

8 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9uZXdhc3AubmV0LmV4ZQ==  (setup_upan.cc.exe)

8 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9nYW9xaW5nLmV4ZQ==  (setup_upan.cc.exe)

3 / 68
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9keWRoLnR2LmV4ZQ==  (setup_dydh.tv.exe)

12 / 68    (PUP)
http://down.job391.com/Setup_quanji.cc.exe  (setup_xp85.com.exe)

7 / 68      (PUP)
http://down.job391.com/Setup_quanji.com.exe  (f_00022c)

12 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9keWRoLnR2LmV4ZQ==  (setup_xp85.com.exe)

23 / 68    (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF94cDg1LmNvbS5leGU=  (setup_xp85.com.exe)

7 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF94aWd1YTExMC5jb20uZXhl  (f_00022c)

9 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9jbmNyay5jb20uZXhl  (setup_xigua110.com.exe)

8 / 68      (PUP)
http://down.job391.com/Setup_quanji.com.exe  (setup_upan.cc.exe)

7 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9xdWFuamkuY2MuZXhl  (f_00022c)

7 / 68      (PUP)
http://down.job391.com/m.php?url=aHR0cDovL2Rvd24uam9iMzkxLmNvbS9TZXR1cF9jbmNyay5jb20uZXhl  (f_00022c)

The following 22 files have been seen to comunicate with down.job391.com in live environments.

TCP » 218.60.108.135:80
jingling.exe

TCP » 221.204.171.42:80
dailaymation.exe (by wgj)

TCP » 222.161.224.25:80
dailaymation.exe (by wgj)

TCP » 218.60.108.135:80
dailaymation.exe (by wgj)

TCP » 218.60.108.135:80
rlvknlg.exe (Relevant-Knowledge by TMRG)

TCP » 221.204.171.42:80
UCBrowser.exe (by UCWeb)

TCP » 222.161.224.25:80
apptrailers.exe

TCP » 222.163.198.56:80
jingling.exe

TCP » 218.60.108.135:80
ysupdate.exe (by Green Creatures Environment Protection Science End Technology Co)

TCP » 222.161.224.25:80
ysupdate.exe (by Green Creatures Environment Protection Science End Technology Co)

TCP » 222.163.198.56:80
jingling.exe

TCP » 125.88.65.249:80
piao_5.2.0.50.crx

TCP » 125.88.65.249:80
piao.crx

TCP » 183.57.148.246:80
365guard.crx

TCP » 183.57.148.246:80
shitu.crx

TCP » 183.57.148.246:80
shitu.crx

TCP » 183.57.148.246:80
weibo_plus.crx

TCP » 183.57.148.246:80
ebank.crx

TCP » 183.57.148.246:80
npgame.crx

TCP » 183.57.148.246:80
screen_capture.crx

 
Latest 20 of 26 files

URL:
http://down.job391.com/

Title:
“Welcome to nginx!”

Web server:
nginx/1.4.1

2144.cn

cgbchina.com.cn

conew.com

duba.net

hxb.com.cn

ikuaiping.com

kwimg.cn

laobanmail.com

letv.com

rising.com.cn

teeqee.com

xunyou.com

ecitic.com

gmw.cn

iciba.com

ijinshan.com

taotaosou.com

wasu.cn

khit.cn

wps.cn

51jetso.com

7r7z.com

duowan.com

it376.com

ke8u.com

miliao.com

miui.com

songtaste.com

tqshopping.com

winrar.com.cn

30 of 40 related domains

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.