» jingling.exe
Overview
Analysis
File Details
Behaviors (2)
Network (15)

jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The application jingling.exe by Rice Electronics Co.,Ltd has been detected as a potentially unwanted program by 28 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address yesup.com on port 80 using the HTTP protocol.

File name:

jingling.exe

Publisher:

精灵软件 (signed by Rice Electronics Co.,Ltd)

Product:

流量精灵

Version:

2012.11.8.98

MD5:

19c48025e1e1b60006e3cb774eb8a89d

SHA-1:

b9b88f9f0b5ead2c97fc457308d1c799fd735ea6

SHA-256:

bd498d12e062f5af21be0c1a9b831717fb92de48bb4919550d2be4701226c838

Scanner detections:

28 / 68

Status:

Potentially unwanted

Analysis date:

11/23/2024 1:41:35 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Promoter.A

1137

AegisLab AV Signature

AdWare.W32.Gaba

2.1.4+

AhnLab V3 Security

Trojan/Win32.Clicker

2013.12.23

Avira AntiVirus

TR/Drop.Injector.gdsc

7.11.110.156

Baidu Antivirus

HackTool.Win32.Agent

4.0.3.131225

Bitdefender

Application.Promoter.A

1.0.20.1795

Bkav FE

W32.Clodd3f.Trojan

1.3.0.4613

Clam AntiVirus

Win.Trojan.Agent-414279

0.98/18355

Comodo Security

Heur.Suspicious

17486

Dr.Web

Trojan.DownLoader8.21721

9.0.1.0359

ESET NOD32

Win32/FlowSpirit

7.9190

Fortinet FortiGate

W32/Agent.ZKW!tr

12/25/2013

F-Secure

Application.Promoter.A

11.2013-25-12_4

G Data

Application.Promoter

13.12.22

IKARUS anti.virus

Application.Promoter

t3scan.2.2.29

K7 AntiVirus

Trojan

13.174.10588

McAfee

Artemis!1A8AC3DF3D1D

5600.7228

MicroWorld eScan

Application.Promoter.A

14.0.0.1077

NANO AntiVirus

Trojan.Win32.FlowSpirit.cqxsuu

0.28.0.57029

Panda Antivirus

Trj/CI.A

13.12.25.02

Qihoo 360 Security

Win32/Trojan.Adware.37e

1.0.0.1015

Quick Heal

Trojan.Agent.gen

2.14.12.00

Reason Heuristics

Unnamed.Threat.32

14.2.22.22

Sophos

Troj/Agent-ZKW

4.96

Trend Micro House Call

HKTL_CLICKER

7.2.36

Trend Micro

HKTL_CLICKER

10.465.05

Vba32 AntiVirus

TrojanDropper.Injector

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

24658

File size:

640.4 KB (655,792 bytes)

Product version:

4.0.1.4

Original file name:

jingling.exe

File type:

Executable application (Win32 EXE)

Language:

Chinese (PRC)

Digital Signature

Signed by:

Rice Electronics Co.,Ltd

Authority:

VeriSign, Inc.

Valid from:

3/16/2012 2:00:00 AM

Valid to:

3/17/2013 1:59:59 AM

Subject:

CN="Rice Electronics Co.,Ltd", OU=Net Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Shenzhen, S=Shenzhen, C=CN

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5B0B453A316892B55AC4AFEFBA5B6E7A

File PE Metadata

Compilation timestamp:

11/8/2012 8:20:12 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

12288:2JHzBvz187HuSEaGH65/vMJr2ZXg3lpMlfKWKTO/hXunF5SV60R10n0:2Bpz187HuSEaGH6RqWNyJTOJXunF5SVp

Entry address:

0x4D598

Entry point:

E8, 4C, BE, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1... 
[+]

Entropy:

6.5443

Code size:

444 KB (454,656 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

urlspace

Command:

C:\users\{user}\downloads\programs\jingling.exe -h

Windows Firewall Allowed Program

Name:

G:\desktop2012\JINGLING.EXE

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to yesup.com (199.21.148.198:80)

TCP (HTTP):

Connects to vip0x016.map2.ssl.hwcdn.net (209.197.3.22:80)

TCP (HTTP):

Connects to server-52-85-142-18.iad12.r.cloudfront.net (52.85.142.18:80)

TCP (HTTP):

Connects to server2.cgmission.com (69.175.89.130:80)

TCP (HTTP):

Connects to ip-23-229-137-65.ip.secureserver.net (23.229.137.65:80)

TCP (HTTP):

Connects to map2.hwcdn.net (205.185.216.42:80)

TCP (HTTP):

Connects to ec2-52-14-181-12.us-east-2.compute.amazonaws.com (52.14.181.12:80)

TCP (HTTP):

Connects to ec2-184-169-179-91.us-west-1.compute.amazonaws.com (184.169.179.91:80)

TCP (HTTP):

Connects to 88.178.154.104.bc.googleusercontent.com (104.154.178.88:80)

TCP (HTTP):

Connects to 203.130.60.50-BJ-CNC (203.130.60.50:80)

TCP (HTTP SSL):

Connects to xx-fbcdn-shv-02-mia1.fbcdn.net (157.240.0.22:443)

TCP (HTTP SSL):

Connects to edge-star-shv-02-mia1.facebook.com (157.240.0.17:443)

TCP (HTTP SSL):

Connects to server-54-192-19-195.iad12.r.cloudfront.net (54.192.19.195:443)

TCP (HTTP SSL):

Connects to edge-star-mini-shv-02-mia1.facebook.com (157.240.0.35:443)

TCP (HTTP):

Connects to cloud559.configrapp.com (45.33.115.139:80)

Remove jingling.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.