jingling.exe

流量精灵

精灵软件

The executable jingling.exe has been detected as malware by 25 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. The file has been seen being downloaded from s7.picofile.com. While running, it connects to the Internet address 203.130.59.28-BJ-CNC on port 80 using the HTTP protocol.
Publisher:
精灵软件

Product:
流量精灵

Version:
2013.10.10.100

MD5:
645d60825b362448151387d060593635

SHA-1:
c670fd72229250249d736c924a10893d8d970f2f

SHA-256:
0e6ab2a37f8c6486aad5caab63b4aedd6be859be47f85fc7b0951f517fe6d973

Scanner detections:
25 / 68

Status:
Malware

Analysis date:
11/21/2017 1:52:17 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.9731381
1138

AhnLab V3 Security
Trojan/Win32.Clicker
2013.12.23

Avira AntiVirus
SPR/Surfairy.A
7.11.121.86

AVG
Win32/DH
2014.0.3616

Baidu Antivirus
Hacktool.Win32.RiskTool
4.0.3.131223

Bitdefender
Trojan.Generic.9731381
1.0.20.1785

Bkav FE
W32.Clod9e1.Trojan
1.3.0.4613

Comodo Security
UnclassifiedMalware
17483

Emsisoft Anti-Malware
Trojan.Generic.9731381
8.13.12.23.09

Fortinet FortiGate
Malware_fam.NB
12/23/2013

F-Secure
Trojan.Generic.9731381
11.2013-23-12_2

G Data
Trojan.Generic.9731381
13.12.22

K7 AntiVirus
Riskware
13.174.10588

K7 Gateway Antivirus
Riskware
13.174.10588

Malwarebytes
Trojan.Agent
v2013.12.23.09

McAfee
RDN/Generic.tfr!dr
5600.7272

McAfee Web Gateway
RDN/Generic.tfr!dr
7.7272

MicroWorld eScan
Trojan.Generic.9731381
14.0.0.1071

NANO AntiVirus
Trojan.Win32.DownLoader10.cqvkbc
0.28.0.57029

Norman
Troj_Generic.RAUJP
11.20131223

Panda Antivirus
Trj/CI.A
13.12.23.09

Reason Heuristics
Unnamed.Threat.43
14.3.21.16

Sophos
Mal/Generic-S
4.96

Trend Micro House Call
TROJ_GEN.R0C1B01KR13
7.2.357

VIPRE Antivirus
Trojan.Win32.Generic
24636

File size:
634.5 KB (649,728 bytes)

Product version:
4.0.3.1

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

File PE Metadata
Compilation timestamp:
10/10/2013 4:21:13 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:Aywuzfu4RNcQ+JHspCU60o0EWRowQfplbR/aTrVccunF5SV60R10n7:AyhvcQIHspCU69nA7yztyTracunF5SV6

Entry address:
0x4D228

Entry point:
E8, 4C, BE, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1...
 
[+]

Code size:
443 KB (453,632 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\desktop\jingling.exe -h


The file jingling.exe has been seen being distributed by the following URL.

http://s7.picofile.com/d/.../jingling.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-lhr3.fbcdn.net  (31.13.90.6:443)

TCP (HTTP):
Connects to store.pchome.com.tw  (220.228.8.10:80)

TCP (HTTP SSL):
Connects to p3.adhitzads.com  (199.193.119.50:443)

TCP (HTTP):
Connects to IZFW6BNVTUW34MZ  (47.91.149.49:80)

TCP (HTTP):
Connects to hn.kd.ny.adsl  (42.236.74.247:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lhr3.facebook.com  (31.13.90.36:443)

TCP (HTTP):
Connects to ec2-52-52-208-81.us-west-1.compute.amazonaws.com  (52.52.208.81:80)

TCP (HTTP SSL):
Connects to adhitzads.com  (68.233.234.217:443)

TCP (HTTP SSL):
Connects to a23-33-183-215.deploy.static.akamaitechnologies.com  (23.33.183.215:443)

TCP (HTTP SSL):
Connects to 32-124-232-198.static.unitasglobal.net  (198.232.124.32:443)

TCP (HTTP):
Connects to 203.130.59.28-BJ-CNC  (203.130.59.28:80)

TCP (HTTP):
Connects to 203.130.56.132-BJ-CNC  (203.130.56.132:80)

TCP (HTTP):
Connects to v133-130-91-14.a020.g.tyo1.static.cnode.io  (133.130.91.14:80)

TCP (HTTP):
Connects to single-4730.banahosting.com  (69.175.68.55:80)

TCP (HTTP SSL):
Connects to host-197.199.253.27.etisalat.com.eg  (197.199.253.27:443)

TCP (HTTP):
Connects to a23-205-213-25.deploy.static.akamaitechnologies.com  (23.205.213.25:80)

TCP (HTTP):
Connects to 98.126.243.211.static.krypt.com  (98.126.243.211:80)

TCP (HTTP):
Connects to 203.130.53.9-BJ-CNC  (203.130.53.9:80)

TCP (HTTP SSL):
Connects to host-197.199.253.15.etisalat.com.eg  (197.199.253.15:443)

Remove jingling.exe - Powered by Reason Core Security