jinglingsinemafi.exe

流量精灵

Rice Electronics Co.,Ltd

The executable jinglingsinemafi.exe has been detected as malware by 10 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘urlspace’.
Publisher:
精灵软件  (signed by Rice Electronics Co.,Ltd)

Product:
流量精灵

Version:
2012.4.9.86

MD5:
4fb4240eadda24687cf6ed32f3436f60

SHA-1:
ea15e743d2814c59d81af2d12cc4abe190c02e50

SHA-256:
f7366535bd7dd9c03d94cfd9fa9e2c16f89d8426dc2a5667dd8615e0049f4c64

Scanner detections:
10 / 68

Status:
Malware

Analysis date:
12/27/2024 5:39:51 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Clicker
2014.06.29

Avira AntiVirus
SPR/FlowSpirit.634248
7.11.157.134

Dr.Web
Trojan.DownLoader8.25327
9.0.1.0184

ESET NOD32
Win32/FlowSpirit
8.10015

McAfee
Artemis!4FB4240EADDA
5600.7080

NANO AntiVirus
Trojan.Win32.Gen5.cymiko
0.28.0.60475

Qihoo 360 Security
HEUR/Malware.QVM09.Gen
1.0.0.1015

Sophos
Generic PUA OK
4.98

Trend Micro House Call
TROJ_AGENT.JDR
7.2.184

Trend Micro
TROJ_AGENT.JDR
10.465.03

File size:
619.4 KB (634,248 bytes)

Product version:
3.4.3.1

Copyright:
Copyright 2011 Spiritsoft All Rights Reserved.

Original file name:
jingling.exe

File type:
Executable application (Win32 EXE)

Language:
Çince (Basitlestirilmis, ÇHC)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\jinglingsinemafi.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/4/2011 2:00:00 AM

Valid to:
11/4/2012 1:59:59 AM

Subject:
CN="Rice Electronics Co.,Ltd", OU=VTN Support, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Rice Electronics Co.,Ltd", L=Beijing, S=Beijing, C=CN

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2AFDF409C5B747EF1F1BA5905A0DD798

File PE Metadata
Compilation timestamp:
4/9/2012 6:00:37 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:MRpBa14H6o0QYWzNLoZcl/P4P1eTo220c:Mxa14H6o0ANh9wMTo2c

Entry address:
0x48C9A

Entry point:
E8, AA, BA, 00, 00, E9, 17, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00, 33, C0, 8A, 44, 24, 08, 53, 8B, D8, C1, E0, 08, 8B, 54, 24, 08, F7, C2, 03, 00, 00, 00, 74, 15, 8A, 0A, 83, C2, 01, 3A, CB, 74, CF, 84, C9, 74, 51, F7, C2, 03, 00, 00, 00, 75, EB, 0B, D8, 57, 8B, C3, C1, E3, 10, 56, 0B, D8, 8B, 0A, BF, FF, FE, FE, 7E, 8B, C1, 8B, F7, 33, CB, 03, F0, 03, F9, 83, F1, FF, 83, F0, FF, 33, CF, 33, C6, 83, C2, 04, 81, E1, 00, 01...
 
[+]

Code size:
419 KB (429,056 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
urlspace

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\jinglingsinemafi.exe -h


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-fra3.facebook.com  (31.13.93.36:443)

TCP (HTTP):
Connects to ec2-52-0-98-133.compute-1.amazonaws.com  (52.0.98.133:80)

TCP (HTTP):
Connects to lb.factorydirectcraft.com.0.28.50.in-addr.arpa  (50.28.0.84:80)

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

TCP (HTTP):
Connects to 109.186.211.130.bc.googleusercontent.com  (130.211.186.109:80)

TCP (HTTP):
Connects to server-54-192-203-8.fra50.r.cloudfront.net  (54.192.203.8:80)

TCP (HTTP):
Connects to server.traffic2bitcoin.com  (67.222.131.186:80)

TCP (HTTP):
Connects to reverse.gdsz.cncnet.net  (58.251.100.24:80)

TCP (HTTP):
Connects to ns323877.ip-94-23-53.eu  (94.23.53.96:80)

TCP (HTTP):
Connects to ns3008170.ip-151-80-21.eu  (151.80.21.2:80)

TCP (HTTP):
Connects to ns3002496.ip-37-59-5.eu  (37.59.5.56:80)

TCP (HTTP):
Connects to mpr1.ngd.vip.ir2.yahoo.com  (217.12.15.83:80)

TCP (HTTP):
Connects to ip-23-229-137-65.ip.secureserver.net  (23.229.137.65:80)

TCP (HTTP):
Connects to host.adsoid.com  (69.167.136.199:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-154-125-191.eu-west-1.compute.amazonaws.com  (54.154.125.191:80)

TCP (HTTP):
Connects to ec2-52-54-6-128.compute-1.amazonaws.com  (52.54.6.128:80)

TCP (HTTP):
Connects to ec2-52-210-127-14.eu-west-1.compute.amazonaws.com  (52.210.127.14:80)

TCP (HTTP):
Connects to ec2-34-196-13-28.compute-1.amazonaws.com  (34.196.13.28:80)

Remove jinglingsinemafi.exe - Powered by Reason Core Security