home

client.exe

Software Jockey

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Software Jockey has been detected as adware by 8 anti-malware scanners. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software.
Publisher:
Software Jockey  (signed and verified)

MD5:
4f1db2febd34d346f0d754c2485393c2

SHA-1:
410879e4b3c3b2fc66bebe2ee33f912462f7ab0a

SHA-256:
e5127be3e1f7d34472895489065342f959610157cffe170b3d6ac4e4b4096c6d

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
4/25/2024 1:28:29 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3253

Baidu Antivirus
Adware.Win32.RocketTab
4.0.3.141222

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10701

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.2760

Malwarebytes
PUP.Optional.SoftJok
v2014.12.22.12

McAfee
Artemis!9CBD7602DB05
5600.6909

Reason Heuristics
PUP.SoftwareJockey.G
14.10.30.20

VIPRE Antivirus
AdKnowledge
34378

File size:
5.5 MB (5,751,528 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

Digital Signature
Signed by:
Software Jockey

Authority:
COMODO CA Limited

Valid from:
3/24/2014 12:00:00 AM

Valid to:
3/24/2015 11:59:59 PM

Subject:
CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata
Compilation timestamp:
10/29/2014 9:10:35 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:666Yu0oBmQn6Uz6II2odBDkDrZq24Z/6qL6V+A9:Y9

Entry address:
0x1D9D

Entry point:
E8, 7D, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 8F, 97, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 2F, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, DF, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 90, A4, 40, 00, E8, 43, 24, 00, 00, 6A, 0E, E8, 2F, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 84, 97, 00, BA, FC, 83, 97, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.8086

Code size:
25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to yk-in-f138.1e100.net  (74.125.196.138:443)

TCP (HTTP SSL):
Connects to yk-in-f101.1e100.net  (74.125.196.101:443)

TCP (HTTP SSL):
Connects to yh-in-f102.1e100.net  (74.125.137.102:443)

TCP (HTTP SSL):
Connects to ord08s07-in-f18.1e100.net  (74.125.225.82:443)

TCP (HTTP):
Connects to ns417046.ip-37-187-145.eu  (37.187.145.69:80)

TCP (HTTP SSL):
Connects to ham02s13-in-f30.1e100.net  (173.194.39.30:443)

TCP (HTTP SSL):
Connects to fra07s27-in-f6.1e100.net  (173.194.112.6:443)

TCP (HTTP SSL):
Connects to fra07s27-in-f0.1e100.net  (173.194.112.0:443)

TCP (HTTP SSL):
Connects to ee-in-f94.1e100.net  (173.194.65.94:443)

TCP (HTTP SSL):
Connects to ee-in-f84.1e100.net  (173.194.65.84:443)

TCP (HTTP SSL):
Connects to ee-in-f190.1e100.net  (173.194.65.190:443)

TCP (HTTP SSL):
Connects to ee-in-f113.1e100.net  (173.194.65.113:443)

TCP (HTTP):
Connects to ee-in-f102.1e100.net  (173.194.65.102:80)

TCP (HTTP SSL):
Connects to edb-owned-address-153_110_198_201.hidden-host.edb.com  (153.110.198.201:443)

TCP (HTTP):
Connects to ec2-75-101-158-62.compute-1.amazonaws.com  (75.101.158.62:80)

TCP (HTTP):
Connects to ec2-54-243-147-255.compute-1.amazonaws.com  (54.243.147.255:80)

TCP (HTTP):
Connects to ec2-54-235-185-31.compute-1.amazonaws.com  (54.235.185.31:80)

TCP (HTTP):
Connects to ec2-54-225-207-109.compute-1.amazonaws.com  (54.225.207.109:80)

TCP (HTTP):
Connects to ec2-54-225-130-198.compute-1.amazonaws.com  (54.225.130.198:80)

Remove client.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.