jingling.exe

流量精灵

精灵软件

The executable jingling.exe has been detected as malware by 19 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address 109.242.178.107.bc.googleusercontent.com on port 80 using the HTTP protocol.
Publisher:
精灵软件

Product:
流量精灵

Version:
2013.10.10.100

MD5:
c80e47faebd2c69b45d4b25e69bd6d07

SHA-1:
379c1e32cdd0e520f32dd94f3a3055d0d09a7e67

SHA-256:
14565feb9a8cd2d40e440bc6e1dc055948704912acbc99cacf6f4f7dc24387f2

Scanner detections:
19 / 68

Status:
Malware

Analysis date:
11/5/2024 4:49:36 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1837899
308

AegisLab AV Signature
W32.Parite
2.1.4+

AhnLab V3 Security
Unwanted/Win32.Agent
2014.10.01

Baidu Antivirus
Hacktool.Win32.FlowSpirit
4.0.3.1642

Bitdefender
Trojan.GenericKD.1837899
1.0.20.465

Emsisoft Anti-Malware
Trojan.GenericKD.1837899
8.16.04.02.05

ESET NOD32
Win32/FlowSpirit (variant)
10.10489

Fortinet FortiGate
Riskware/FlowSpirit
4/2/2016

F-Secure
Trojan.GenericKD.1837899
11.2016-02-04_7

G Data
Trojan.GenericKD.1837899
16.4.24

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.1.7.8.0

K7 AntiVirus
Trojan
13.183.13535

McAfee
Artemis!C80E47FAEBD2
5600.6442

MicroWorld eScan
Trojan.GenericKD.1837899
17.0.0.279

NANO AntiVirus
Trojan.Win32.DownLoader10.cqvkbc
0.28.2.62440

nProtect
Trojan.GenericKD.1837899
14.09.30.01

Rising Antivirus
PE:Trojan.Win32.Generic.1759A36A!391750506
23.00.65.16331

Sophos
Generic PUA DH
4.98

Trend Micro House Call
TROJ_GEN.R002H09I414
7.2.93

File size:
617.5 KB (632,320 bytes)

Product version:
4.0.3.1

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

Common path:
C:\users\{user}\appdata\roaming\spiritsoft\urlspirit\jingling.exe

File PE Metadata
Compilation timestamp:
10/9/2013 11:21:13 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:Xywuzfu4RNcQ+JHspCU60o0EWRowQfplbR/aTrVcUunF5SV65Ri:XyhvcQIHspCU69nA7yztyTraUunF5SVL

Entry address:
0x4D228

Entry point:
E8, 4C, BE, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1...
 
[+]

Code size:
443 KB (453,632 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\appdata\roaming\spiritsoft\urlspirit\jingling.exe -h


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-81-79.mia50.r.cloudfront.net  (54.230.81.79:80)

TCP (HTTP):
Connects to 109.242.178.107.bc.googleusercontent.com  (107.178.242.109:80)

Remove jingling.exe - Powered by Reason Core Security