jingling.exe

流量精灵

精灵软件

The executable jingling.exe has been detected as malware by 18 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. The file has been seen being downloaded from d17.usercdn.com. While running, it connects to the Internet address gw-vlan105.core01.dfw01.as33612.net on port 443.
Publisher:
精灵软件

Product:
流量精灵

Version:
2014.10.10.101

MD5:
1f519484a9ad5a51d42e0f57f4e314e0

SHA-1:
9be9cf179078f76b7d61f54efaf50c68098e1afc

SHA-256:
c1341b20f6a99721f4bfe09c8fe3982479636369c5e78fee27f2035781c02b63

Scanner detections:
18 / 68

Status:
Malware

Analysis date:
10/19/2018 11:21:40 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1914107
841

AhnLab V3 Security
Trojan/Win32.Clicker
2014.10.17

avast!
Win32:Dropper-gen [Drp]
2014.9-141016

Baidu Antivirus
Hacktool.Win32.FlowSpirit
4.0.3.141016

Bitdefender
Trojan.GenericKD.1914107
1.0.20.1445

Emsisoft Anti-Malware
Trojan.GenericKD.1914107
8.14.10.16.09

ESET NOD32
Win32/FlowSpirit (variant)
8.10575

Fortinet FortiGate
Riskware/FlowSpirit
10/16/2014

F-Secure
Trojan.GenericKD.1914107
11.2014-16-10_5

G Data
Trojan.GenericKD.1914107
14.10.24

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.7.8.0

McAfee
RDN/Generic PUP.x!c2t
5600.6975

MicroWorld eScan
Trojan.GenericKD.1914107
15.0.0.867

NANO AntiVirus
Trojan.Win32.FlowSpirit.dgozjr
0.28.2.62671

Norman
Troj_Generic.WJQOH
11.20141016

nProtect
Trojan.GenericKD.1914107
14.10.16.01

Sophos
Generic PUA JL
4.98

Trend Micro House Call
TROJ_GEN.R0C1H09JD14
7.2.289

File size:
625.5 KB (640,512 bytes)

Product version:
4.0.4.1

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\jingling.exe

File PE Metadata
Compilation timestamp:
10/10/2014 10:14:38 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:rBWWb1JKD7HGz9Dv4EcBCTmvF2W0O3sBlox3hT0munF5SV60R10nY:1tKD7HGz9Dv4DCTmv8fOC6LTfunF5SVl

Entry address:
0x4FDE6

Entry point:
E8, F7, BF, 00, 00, E9, 17, FE, FF, FF, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1, 00, 01, 01, 81, 75, 1C, 25, 00, 01, 01, 81, 74, D3, 25...
 
[+]

Code size:
435.5 KB (445,952 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\jingling.exe -h


The file jingling.exe has been seen being distributed by the following URL.

https://d17.usercdn.com/d/.../jingling.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-240-186-55.mad50.r.cloudfront.net  (54.240.186.55:443)

TCP (HTTP):
Connects to pages-wildcard.weebly.com  (199.34.228.77:80)

TCP (HTTP):
Connects to d2.48.3a25.ip4.static.sl-reverse.com  (37.58.72.210:80)

TCP (HTTP):
Connects to 96.147.96.66.static.eigbox.net  (66.96.147.96:80)

TCP (HTTP):
Connects to server-54-240-186-52.mad50.r.cloudfront.net  (54.240.186.52:80)

TCP (HTTP SSL):
Connects to server-54-240-186-121.mad50.r.cloudfront.net  (54.240.186.121:443)

TCP (HTTP):
Connects to server-52-85-47-175.mad50.r.cloudfront.net  (52.85.47.175:80)

TCP (HTTP):
Connects to 248.ip-193-70-112.eu  (193.70.112.248:80)

TCP (HTTP):
Connects to wb-in-f154.1e100.net  (66.102.1.154:80)

TCP (HTTP SSL):
Connects to gw-vlan105.core01.dfw01.as33612.net  (66.6.32.34:443)

TCP (HTTP):
Connects to e1.ycpi.vip.fra.yahoo.com  (77.238.180.11:80)

TCP (HTTP):
Connects to nl.mytimesnow.com  (107.6.167.170:80)

Remove jingling.exe - Powered by Reason Core Security