» jingling.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (2)
Network (11)

jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The executable jingling.exe has been detected as malware by 25 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address 203.130.59.28-BJ-CNC on port 80 using the HTTP protocol.

File name:

jingling.exe

Publisher:

精灵软件 (signed by Rice Electronics Co.,Ltd)

Product:

流量精灵

Version:

2013.3.14.99

MD5:

bb2a4b95111a2321350f8fb2e5c4686c

SHA-1:

1f503601a0b0239312d317d078c37fa4add8cb04

SHA-256:

2a8824920808ab95ccbdadb22c5ab07bfd4c1bfd592bc0f7e9926e67da4e8569

Scanner detections:

25 / 68

Status:

Malware

Analysis date:

11/23/2024 6:13:00 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Promoter.A

1124

AhnLab V3 Security

Trojan/Win32.Clicker

2013.12.23

Avira AntiVirus

TR/Drop.Injector.gdsc

7.11.110.156

Baidu Antivirus

HackTool.Win32.Agent

4.0.3.1417

Bitdefender

Application.Promoter.A

1.0.20.35

Bkav FE

W32.Clodd3f.Trojan

1.3.0.4613

Clam AntiVirus

Win.Trojan.Agent-414279

0.98/18355

Comodo Security

Heur.Suspicious

17486

Dr.Web

Trojan.DownLoader8.21721

9.0.1.0357

ESET NOD32

Win32/FlowSpirit

7.9190

Fortinet FortiGate

W32/Agent.ZKW!tr

1/7/2014

F-Secure

Application.Promoter.A

11.2014-07-01_3

G Data

Application.Promoter

14.1.22

IKARUS anti.virus

Application.Promoter

t3scan.2.2.29

K7 AntiVirus

Trojan

13.174.10588

McAfee

Artemis!1A8AC3DF3D1D

5600.7272

MicroWorld eScan

Application.Promoter.A

15.0.0.21

NANO AntiVirus

Trojan.Win32.FlowSpirit.cqxsuu

0.28.0.57029

Panda Antivirus

Trj/CI.A

14.01.07.09

Quick Heal

Trojan.Agent.gen

12.13.12.00

Sophos

Troj/Agent-ZKW

4.96

Trend Micro House Call

HKTL_CLICKER

7.2.357

Trend Micro

HKTL_CLICKER

10.465.23

Vba32 AntiVirus

TrojanDropper.Injector

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

24658

File size:

640.9 KB (656,240 bytes)

Product version:

4.0.2.1

Original file name:

jingling.exe

File type:

Executable application (Win32 EXE)

Language:

Chinese (Simplified, PRC)

Digital Signature

Signed by:

Rice Electronics Co.,Ltd

Authority:

VeriSign, Inc.

Valid from:

3/16/2012 12:00:00 AM

Valid to:

3/16/2013 11:59:59 PM

Subject:

CN="Rice Electronics Co.,Ltd", OU=Net Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Shenzhen, S=Shenzhen, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5B0B453A316892B55AC4AFEFBA5B6E7A

File PE Metadata

Compilation timestamp:

3/14/2013 1:53:03 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

12288:3w7n1OHcwbnObHCEE7TmsYPtXwFz142RaDJSKTOmV8unF5SV60R10n:3wZO8wbnObHCEE7T3CoBfaDJNTO+8unL

Entry address:

0x4D598

Entry point:

E8, 4C, BE, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1... 
[+]

Code size:

444 KB (454,656 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

urlspace

Command:

C:\users\{user}\documents\eagleget downloads\jingling.exe -h

The file jingling.exe has been seen being distributed by the following 2 URLs.

blob:https://www.datafilehost.com/c1615d47-0a07-4adc-afcd-58b8b8e8093a

http://download1395.mediafire.com/387z3mj12ptg/.../jingling.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 203.130.59.28-BJ-CNC (203.130.59.28:80)

TCP (HTTP):

Connects to ec2-54-223-35-180.cn-north-1.compute.amazonaws.com.cn (54.223.35.180:80)

TCP (HTTP):

Connects to ec2-54-222-210-226.cn-north-1.compute.amazonaws.com.cn (54.222.210.226:80)

TCP (HTTP):

Connects to ec2-54-222-208-139.cn-north-1.compute.amazonaws.com.cn (54.222.208.139:80)

TCP (HTTP):

Connects to ec2-35-156-156-64.eu-central-1.compute.amazonaws.com (35.156.156.64:80)

TCP (HTTP):

Connects to a23-35-214-217.deploy.static.akamaitechnologies.com (23.35.214.217:80)

TCP (HTTP SSL):

Connects to yesup.com (199.21.148.198:443)

TCP (HTTP):

Connects to v133-130-91-14.a020.g.tyo1.static.cnode.io (133.130.91.14:80)

TCP (HTTP):

Connects to ip-103-23-108-224.static.pixnet.tw (103.23.108.224:80)

TCP (HTTP):

Connects to ec2-54-222-199-205.cn-north-1.compute.amazonaws.com.cn (54.222.199.205:80)

TCP:

Connects to hn.kd.ny.adsl (42.236.74.195:82)

Remove jingling.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.