jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The application jingling.exe by Rice Electronics Co.,Ltd has been detected as a potentially unwanted program by 28 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address yesup.com on port 80 using the HTTP protocol.
Publisher:
精灵软件  (signed by Rice Electronics Co.,Ltd)

Product:
流量精灵

Version:
2012.11.8.98

MD5:
19c48025e1e1b60006e3cb774eb8a89d

SHA-1:
b9b88f9f0b5ead2c97fc457308d1c799fd735ea6

SHA-256:
bd498d12e062f5af21be0c1a9b831717fb92de48bb4919550d2be4701226c838

Scanner detections:
28 / 68

Status:
Potentially unwanted

Analysis date:
11/20/2018 9:11:14 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Promoter.A
1137

AegisLab AV Signature
AdWare.W32.Gaba
2.1.4+

AhnLab V3 Security
Trojan/Win32.Clicker
2013.12.23

Avira AntiVirus
TR/Drop.Injector.gdsc
7.11.110.156

Baidu Antivirus
HackTool.Win32.Agent
4.0.3.131225

Bitdefender
Application.Promoter.A
1.0.20.1795

Bkav FE
W32.Clodd3f.Trojan
1.3.0.4613

Clam AntiVirus
Win.Trojan.Agent-414279
0.98/18355

Comodo Security
Heur.Suspicious
17486

Dr.Web
Trojan.DownLoader8.21721
9.0.1.0359

ESET NOD32
Win32/FlowSpirit
7.9190

Fortinet FortiGate
W32/Agent.ZKW!tr
12/25/2013

F-Secure
Application.Promoter.A
11.2013-25-12_4

G Data
Application.Promoter
13.12.22

IKARUS anti.virus
Application.Promoter
t3scan.2.2.29

K7 AntiVirus
Trojan
13.174.10588

McAfee
Artemis!1A8AC3DF3D1D
5600.7228

MicroWorld eScan
Application.Promoter.A
14.0.0.1077

NANO AntiVirus
Trojan.Win32.FlowSpirit.cqxsuu
0.28.0.57029

Panda Antivirus
Trj/CI.A
13.12.25.02

Qihoo 360 Security
Win32/Trojan.Adware.37e
1.0.0.1015

Quick Heal
Trojan.Agent.gen
2.14.12.00

Reason Heuristics
Unnamed.Threat.32
14.2.22.22

Sophos
Troj/Agent-ZKW
4.96

Trend Micro House Call
HKTL_CLICKER
7.2.36

Trend Micro
HKTL_CLICKER
10.465.05

Vba32 AntiVirus
TrojanDropper.Injector
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
24658

File size:
640.4 KB (655,792 bytes)

Product version:
4.0.1.4

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (PRC)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/16/2012 2:00:00 AM

Valid to:
3/17/2013 1:59:59 AM

Subject:
CN="Rice Electronics Co.,Ltd", OU=Net Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Shenzhen, S=Shenzhen, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5B0B453A316892B55AC4AFEFBA5B6E7A

File PE Metadata
Compilation timestamp:
11/8/2012 8:20:12 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:2JHzBvz187HuSEaGH65/vMJr2ZXg3lpMlfKWKTO/hXunF5SV60R10n0:2Bpz187HuSEaGH6RqWNyJTOJXunF5SVp

Entry address:
0x4D598

Entry point:
E8, 4C, BE, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1...
 
[+]

Entropy:
6.5443

Code size:
444 KB (454,656 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\downloads\programs\jingling.exe -h


Windows Firewall Allowed Program
Name:
G:\desktop2012\JINGLING.EXE


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yesup.com  (199.21.148.198:80)

TCP (HTTP):
Connects to vip0x016.map2.ssl.hwcdn.net  (209.197.3.22:80)

TCP (HTTP):
Connects to server-52-85-142-18.iad12.r.cloudfront.net  (52.85.142.18:80)

TCP (HTTP):
Connects to server2.cgmission.com  (69.175.89.130:80)

TCP (HTTP):
Connects to ip-23-229-137-65.ip.secureserver.net  (23.229.137.65:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.42:80)

TCP (HTTP):
Connects to ec2-52-14-181-12.us-east-2.compute.amazonaws.com  (52.14.181.12:80)

TCP (HTTP):
Connects to ec2-184-169-179-91.us-west-1.compute.amazonaws.com  (184.169.179.91:80)

TCP (HTTP):
Connects to 88.178.154.104.bc.googleusercontent.com  (104.154.178.88:80)

TCP (HTTP):
Connects to 203.130.60.50-BJ-CNC  (203.130.60.50:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-02-mia1.fbcdn.net  (157.240.0.22:443)

TCP (HTTP SSL):
Connects to edge-star-shv-02-mia1.facebook.com  (157.240.0.17:443)

TCP (HTTP SSL):
Connects to server-54-192-19-195.iad12.r.cloudfront.net  (54.192.19.195:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-02-mia1.facebook.com  (157.240.0.35:443)

TCP (HTTP):
Connects to cloud559.configrapp.com  (45.33.115.139:80)

Remove jingling.exe - Powered by Reason Core Security