jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The executable jingling.exe has been detected as malware by 9 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. The file has been seen being downloaded from dc581.2shared.com and multiple other hosts. While running, it connects to the Internet address edge-star-mini-shv-01-eze1.facebook.com on port 443.
Publisher:
精灵软件  (signed by Rice Electronics Co.,Ltd)

Product:
流量精灵

Version:
2012.7.20.89

MD5:
de9d855c48d0801c2820d6b39ce3fb6a

SHA-1:
396a86355b8ae8926e4d596bf04f6eee84136049

SHA-256:
9c353e1773e97750d28438d9027e4f963207dcd5d19983612bfb9a5ea936b905

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
12/12/2017 9:16:03 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Clicker
2014.09.10

Bkav FE
W32.Clod6b9.Trojan
1.3.0.4959

Comodo Security
Heur.Suspicious
19471

Dr.Web
Trojan.DownLoader9.14697
9.0.1.0257

ESET NOD32
Win32/FlowSpirit
8.10393

Fortinet FortiGate
W32/FlowSpirit
9/14/2014

McAfee
Artemis!DE9D855C48D0
5600.7007

McAfee Web Gateway
BehavesLike.Win32.Trojan.jh
7.7007

NANO AntiVirus
Trojan.Win32.FlowSpirit.cwizqq
0.28.2.61942

File size:
620.9 KB (635,824 bytes)

Product version:
3.4.4.1

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/3/2011 8:00:00 PM

Valid to:
11/3/2012 7:59:59 PM

Subject:
CN="Rice Electronics Co.,Ltd", OU=VTN Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2AFDF409C5B747EF1F1BA5905A0DD798

File PE Metadata
Compilation timestamp:
7/20/2012 2:14:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:OqdbNVzRMH4MNylc8MFx3xyrGTDpvpris03d:OaNVzRMH4MNl18iTDpvpriFN

Entry address:
0x4923A

Entry point:
E8, 0A, BC, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1, 00, 01...
 
[+]

Entropy:
6.5590

Code size:
420 KB (430,080 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\desktop\jingling.exe -h


The file jingling.exe has been seen being distributed by the following 6 URLs.

http://dc581.2shared.com/download/.../jinsoft.exe

https://mega.nz/persistent/.../n0B0wRzb

http://download2015.mediafire.com/24ih6ae2vrjg/.../jinsoft.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to xx-fbcdn-shv-01-eze1.fbcdn.net  (31.13.94.24:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-eze1.facebook.com  (31.13.94.35:443)

TCP (HTTP):
Connects to server-54-192-59-201.gru1.r.cloudfront.net  (54.192.59.201:80)

TCP (HTTP):
Connects to reverse.gdsz.cncnet.net  (58.251.100.24:80)

TCP (HTTP):
Connects to c-q100-u1409-214.webazilla.com  (204.155.145.214:80)

TCP (HTTP):
Connects to ec2-52-14-95-88.us-east-2.compute.amazonaws.com  (52.14.95.88:80)

TCP (HTTP):
Connects to ip-103-23-108-224.static.pixnet.tw  (103.23.108.224:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-52-3-199-147.compute-1.amazonaws.com  (52.3.199.147:80)

TCP (HTTP):

Remove jingling.exe - Powered by Reason Core Security