jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The executable jingling.exe has been detected as malware by 28 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address 203.130.59.28-BJ-CNC on port 80 using the HTTP protocol.
Publisher:
精灵软件  (signed by Rice Electronics Co.,Ltd)

Product:
流量精灵

Version:
2013.3.14.99

MD5:
bb2a4b95111a2321350f8fb2e5c4686c

SHA-1:
1f503601a0b0239312d317d078c37fa4add8cb04

SHA-256:
2a8824920808ab95ccbdadb22c5ab07bfd4c1bfd592bc0f7e9926e67da4e8569

Scanner detections:
28 / 68

Status:
Malware

Analysis date:
12/11/2017 5:14:19 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Promoter.A
1124

AhnLab V3 Security
Trojan/Win32.Clicker
2013.12.23

Avira AntiVirus
TR/Drop.Injector.gdsc
7.11.110.156

Baidu Antivirus
HackTool.Win32.Agent
4.0.3.1417

Bitdefender
Application.Promoter.A
1.0.20.35

Bkav FE
W32.Clodd3f.Trojan
1.3.0.4613

Clam AntiVirus
Win.Trojan.Agent-414279
0.98/18355

Comodo Security
Heur.Suspicious
17486

Dr.Web
Trojan.DownLoader8.21721
9.0.1.0357

ESET NOD32
Win32/FlowSpirit
7.9190

Fortinet FortiGate
W32/Agent.ZKW!tr
1/7/2014

F-Secure
Application.Promoter.A
11.2014-07-01_3

G Data
Application.Promoter
14.1.22

IKARUS anti.virus
Application.Promoter
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10588

K7 Gateway Antivirus
Trojan
13.174.10588

Kingsoft AntiVirus
Win32.Heur.KVMF26.hy.(kcloud)
331020.49267

McAfee
Artemis!1A8AC3DF3D1D
5600.7272

McAfee Web Gateway
Artemis!1A8AC3DF3D1D
7.7272

MicroWorld eScan
Application.Promoter.A
15.0.0.21

NANO AntiVirus
Trojan.Win32.FlowSpirit.cqxsuu
0.28.0.57029

Panda Antivirus
Trj/CI.A
14.01.07.09

Quick Heal
Trojan.Agent.gen
12.13.12.00

Sophos
Troj/Agent-ZKW
4.96

Trend Micro House Call
HKTL_CLICKER
7.2.357

Trend Micro
HKTL_CLICKER
10.465.23

Vba32 AntiVirus
TrojanDropper.Injector
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
24658

File size:
640.9 KB (656,240 bytes)

Product version:
4.0.2.1

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/16/2012 12:00:00 AM

Valid to:
3/16/2013 11:59:59 PM

Subject:
CN="Rice Electronics Co.,Ltd", OU=Net Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Shenzhen, S=Shenzhen, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5B0B453A316892B55AC4AFEFBA5B6E7A

File PE Metadata
Compilation timestamp:
3/14/2013 1:53:03 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:3w7n1OHcwbnObHCEE7TmsYPtXwFz142RaDJSKTOmV8unF5SV60R10n:3wZO8wbnObHCEE7T3CoBfaDJNTO+8unL

Entry address:
0x4D598

Entry point:
E8, 4C, BE, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1...
 
[+]

Code size:
444 KB (454,656 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\documents\eagleget downloads\jingling.exe -h


The file jingling.exe has been seen being distributed by the following 2 URLs.

blob:https://www.datafilehost.com/c1615d47-0a07-4adc-afcd-58b8b8e8093a

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 203.130.59.28-BJ-CNC  (203.130.59.28:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a23-35-214-217.deploy.static.akamaitechnologies.com  (23.35.214.217:80)

TCP (HTTP SSL):
Connects to yesup.com  (199.21.148.198:443)

TCP (HTTP):
Connects to v133-130-91-14.a020.g.tyo1.static.cnode.io  (133.130.91.14:80)

TCP (HTTP):
Connects to ip-103-23-108-224.static.pixnet.tw  (103.23.108.224:80)

TCP (HTTP):

TCP:
Connects to hn.kd.ny.adsl  (42.236.74.195:82)

Remove jingling.exe - Powered by Reason Core Security