jingling.exe

流量精灵

Rice Electronics Co.,Ltd

The application jingling.exe by Rice Electronics Co.,Ltd has been detected as a potentially unwanted program by 11 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from marketmultinivel.com. While running, it connects to the Internet address IZU17D6GWZOZ on port 80 using the HTTP protocol.
Publisher:
精灵软件  (signed by Rice Electronics Co.,Ltd)

Product:
流量精灵

Version:
2012.4.22.88

MD5:
fd931156e76e90ebf6860c42306137b7

SHA-1:
ffdefd1785ac87bcd4ca823e64ab68e3ce46497e

SHA-256:
1d3d2eb92224be742c3fd4ba2ab4ce986463f2dbdba8504dcce9aaecdb66cd7c

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
11/2/2024 9:31:10 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.FlowSpirit
7.1.1

AhnLab V3 Security
Trojan/Win32.Clicker
14.05.06

Avira AntiVirus
TR/Agent.638976.64
7.11.146.40

Bkav FE
W32.Clodc75.Trojan
1.3.0.4959

Dr.Web
Trojan.DownLoader8.23186
9.0.1.0126

ESET NOD32
Win32/FlowSpirit
8.9737

Fortinet FortiGate
Riskware/FlowSpirit
5/6/2014

IKARUS anti.virus
Trojan.Agent
t3scan.1.6.1.0

McAfee
Artemis!FD931156E76E
5600.7138

NANO AntiVirus
Trojan.Win32.FlowSpirit.cofomv
0.28.0.59608

Qihoo 360 Security
HEUR/Malware.QVM09.Gen
1.0.0.1015

File size:
619.9 KB (634,760 bytes)

Product version:
3.4.3.3

Copyright:
Copyright 2011 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/4/2011 1:00:00 AM

Valid to:
11/4/2012 12:59:59 AM

Subject:
CN="Rice Electronics Co.,Ltd", OU=VTN Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2AFDF409C5B747EF1F1BA5905A0DD798

File PE Metadata
Compilation timestamp:
4/22/2012 2:13:25 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:ohWkd8hFQa1oENSJZivvmHRBZUV+YRUgGHp9oUKMb0INh1pYNmGTBojqwkfMFU:ohsdH2HfZUV+YU9HD4Mn1pYkGT2O0e

Entry address:
0x4907A

Entry point:
E8, 0A, BC, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1, 00, 01...
 
[+]

Code size:
419.5 KB (429,568 bytes)

The file jingling.exe has been seen being distributed by the following URL.

http://marketmultinivel.com/anuncio.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to IZ23Z2YUIKTZ  (121.41.84.229:80)

TCP (HTTP):
Connects to ec2-54-94-223-84.sa-east-1.compute.amazonaws.com  (54.94.223.84:80)

TCP (HTTP):
Connects to ec2-34-199-60-97.compute-1.amazonaws.com  (34.199.60.97:80)

TCP (HTTP):
Connects to 80.83.2ea9.ip4.static.sl-reverse.com  (169.46.131.128:80)

TCP (HTTP):
Connects to 203.130.60.50-BJ-CNC  (203.130.60.50:80)

TCP (HTTP):
Connects to 199-119-78-11.host.synial.com  (199.119.78.11:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to 203.130.60.48-BJ-CNC  (203.130.60.48:80)

TCP (HTTP):
Connects to IZU17D6GWZOZ  (47.88.22.102:80)

TCP (HTTP):
Connects to 203.130.60.49-BJ-CNC  (203.130.60.49:80)

Remove jingling.exe - Powered by Reason Core Security