jingling.exe

流量精灵

精灵软件

The application jingling.exe has been detected as a potentially unwanted program by 12 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address 123.103.57.50-BJ-CNC on port 80 using the HTTP protocol.
Publisher:
精灵软件

Product:
流量精灵

Version:
2016.3.20.103

MD5:
2b7809c589a059c4bb04b8f582f267e7

SHA-1:
50242f6001b0ee7ed81a625d9969ecffc929f72e

SHA-256:
33abc58dda281c7d56ec6a2bc44e542b15e634ba36837498f74f8ba913904132

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
11/18/2017 7:49:56 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Clicker
2016.03.22

avast!
Win32:Malware-gen
2014.9-160323

Dr.Web
Trojan.DownLoader19.61894
9.0.1.083

ESET NOD32
Win32/FlowSpirit.H potentially unsafe (variant)
10.13217

G Data
Win32.Trojan.Agent.BW6PJD
16.3.25

IKARUS anti.virus
Win32.Dialer
t3scan.2.0.9.0

K7 AntiVirus
Unwanted-Program
13.218.19079

K7 Gateway Antivirus
Unwanted-Program
13.218.19079

McAfee
Artemis!2B7809C589A0
5600.6451

McAfee Web Gateway
BehavesLike.Win32.Adware.jh
7.6451

Panda Antivirus
Trj/Genetic.gen
16.03.23.03

SUPERAntiSpyware
Trojan.Agent/Generic
9248

File size:
618.5 KB (633,344 bytes)

Product version:
4.1.2.1

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\jingling.exe

File PE Metadata
Compilation timestamp:
3/20/2016 5:49:16 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:oIKYprEdfh8HrHA9BzvWeDorIp41VeNPR6TUgunF5SV60R10n2:ozfh8HrHALzvZ+IWqETJunF5SV6Vn2

Entry address:
0x4EDE6

Entry point:
E8, 47, C0, 00, 00, E9, 17, FE, FF, FF, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1, 00, 01, 01, 81, 75, 1C, 25, 00, 01, 01, 81, 74, D3, 25...
 
[+]

Code size:
431 KB (441,344 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\jingling.exe -h


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tiger.potia.net  (66.212.30.236:80)

TCP (HTTP):
Connects to 123.103.57.50-BJ-CNC  (123.103.57.50:80)

TCP (HTTP):
Connects to ns2.plaides.net  (83.168.221.45:80)

TCP (HTTP):
Connects to server-54-230-197-112.lhr50.r.cloudfront.net  (54.230.197.112:80)

TCP (HTTP):
Connects to server-52-85-63-136.lhr50.r.cloudfront.net  (52.85.63.136:80)

TCP (HTTP):
Connects to ip-103-23-108-192.static.pixnet.tw  (103.23.108.192:80)

TCP (HTTP):
Connects to ip-103-23-108-181.static.pixnet.tw  (103.23.108.181:80)

TCP (HTTP):

TCP (HTTP):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:80)

TCP (HTTP):
Connects to ip-103-23-108-140.static.pixnet.tw  (103.23.108.140:80)

Remove jingling.exe - Powered by Reason Core Security