jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The executable jingling.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’. While running, it connects to the Internet address IZU17D6GWZOZ on port 80 using the HTTP protocol.
Publisher:
精灵软件  (signed by Rice Electronics Co.,Ltd)

Product:
流量精灵

Version:
2012.11.8.98

MD5:
c75e1c75a0cd1c9fb3ef65ecdb4925d3

SHA-1:
e93186792ac1852ecfba06d6fe8c0f0bdec4b191

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
11/23/2024 6:29:30 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Patched-JI
160917-0

Clam AntiVirus
Win.Spyware.59563-2
0.98/22985

Dr.Web
Trojan.DownLoader8.21721
9.0.1.05190

ESET NOD32
Win32/Agent.NAG virus
6.3.12010.0

F-Prot
W32/Slugin.B
4.6.5.141

File size:
732.9 KB (750,483 bytes)

Product version:
4.0.1.4

Copyright:
Copyright 2012 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (PRC)

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
3/16/2012 7:00:00 AM

Valid to:
3/17/2013 6:59:59 AM

Subject:
CN="Rice Electronics Co.,Ltd", OU=Net Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Shenzhen, S=Shenzhen, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
5B0B453A316892B55AC4AFEFBA5B6E7A

File PE Metadata
Compilation timestamp:
11/8/2012 1:20:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x4D598

Entry point:
60, E8, 00, 00, 00, 00, 5B, 81, EB, D0, 48, 00, 10, 83, EC, 74, 8B, EC, 8B, 83, AB, 4B, 00, 10, 89, 45, 00, 8B, 83, B3, 4B, 00, 10, 03, 45, 00, 89, 45, 2C, 8B, 83, B7, 4B, 00, 10, 03, 45, 00, 89, 45, 30, C7, 45, 14, 00, 00, 00, 00, C7, 45, 18, 00, 00, 00, 00, C7, 45, 1C, 00, 00, 00, 00, 8B, 45, 14, FF, 45, 14, 66, 33, C9, 8A, 8C, 03, FF, 4B, 00, 10, 84, C9, 74, 7A, 8B, 45, 1C, 66, 01, 4D, 1C, 03, C3, 05, 13, 4C, 00, 10, 50, 8B, 45, 2C, FF, 10, 85, C0, 0F, 84, 5E, 02, 00, 00, 89, 45, 10, 8B, 45, 1C, 03, C3...
 
[+]

Entropy:
6.5545

Packer / compiler:
ASPack v1.08.04

Code size:
444 KB (454,656 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\auto visitor\jingling.exe -h


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 131.subnet180-250-66.speedy.telkom.net.id  (180.250.66.131:80)

TCP (HTTP):
Connects to server-54-230-150-68.sin2.r.cloudfront.net  (54.230.150.68:80)

TCP (HTTP):
Connects to server-54-192-159-38.sin3.r.cloudfront.net  (54.192.159.38:80)

TCP (HTTP):
Connects to pages-wildcard.weebly.com  (199.34.228.53:80)

TCP (HTTP):
Connects to li1513-193.members.linode.com  (139.162.228.193:80)

TCP (HTTP):
Connects to li1500-84.members.linode.com  (139.162.183.84:80)

TCP (HTTP):
Connects to hosted-by.reliablesite.net  (104.243.42.180:80)

TCP (HTTP):
Connects to ec2-34-199-157-154.compute-1.amazonaws.com  (34.199.157.154:80)

TCP (HTTP):
Connects to 94.31.29.128.IPYX-077437-ZYO.above.net  (94.31.29.128:80)

TCP (HTTP):
Connects to 89.9d.a86c.ip4.static.sl-reverse.com  (108.168.157.137:80)

TCP (HTTP):
Connects to 57.9d.a86c.ip4.static.sl-reverse.com  (108.168.157.87:80)

TCP (HTTP):
Connects to 49-reverse.a1servers.pw  (94.23.250.102:80)

TCP (HTTP):
Connects to v133-130-91-14.a020.g.tyo1.static.cnode.io  (133.130.91.14:80)

TCP (HTTP):
Connects to IZU17D6GWZOZ  (47.88.22.102:80)

TCP (HTTP):

TCP (HTTP):
Connects to 130.239.158.61.ha.cnc  (61.158.239.130:80)

TCP (HTTP):
Connects to 123.103.57.51-BJ-CNC  (123.103.57.51:80)

TCP (HTTP):
Connects to server-54-192-150-120.sin2.r.cloudfront.net  (54.192.150.120:80)

TCP (HTTP):
Connects to ip-184-168-221-96.ip.secureserver.net  (184.168.221.96:80)

TCP (HTTP):
Connects to ip-107-180-48-127.ip.secureserver.net  (107.180.48.127:80)

Remove jingling.exe - Powered by Reason Core Security