home

client.exe

Software Jockey

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Software Jockey has been detected as adware by 8 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49475 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. This file is typically installed with the program “RocketTab” by Adknowledge which is a potentially unwanted software program.
Publisher:
Software Jockey  (signed and verified)

MD5:
53e5f586b1e7f94fd1302ab6c5084455

SHA-1:
4b7f0d8a0893eae6ba1fc864883738379d155277

SHA-256:
a8c8e333e0ba459dd54b3e024ab0eeaa986e89e74493219286b015eab14158ff

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
4/25/2024 2:48:44 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3253

Baidu Antivirus
Adware.Win32.RocketTab
4.0.3.141222

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10701

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.2760

Malwarebytes
PUP.Optional.SoftJok
v2014.12.22.12

McAfee
Artemis!9CBD7602DB05
5600.6909

Reason Heuristics
PUP.SoftwareJockey.G
14.10.30.14

VIPRE Antivirus
AdKnowledge
34342

File size:
5.5 MB (5,751,528 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

Digital Signature
Signed by:
Software Jockey

Authority:
COMODO CA Limited

Valid from:
3/23/2014 5:00:00 PM

Valid to:
3/24/2015 4:59:59 PM

Subject:
CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata
Compilation timestamp:
10/29/2014 9:31:03 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:9AAr4kRehyBSYcjL4opZmi3sNwGBA/x7hgt12ERuRjHkKuHU7+yaS:IU9tkxCi3YwZDQnKAvS

Entry address:
0x1D9D

Entry point:
E8, 7D, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 8F, 97, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 2F, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, DF, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 90, A4, 40, 00, E8, 43, 24, 00, 00, 6A, 0E, E8, 2F, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 84, 97, 00, BA, FC, 83, 97, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.4872

Code size:
25.5 KB (26,112 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49475/

Local host port:
49475

Default credentials:
No


The file client.exe has been discovered within the following program.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-shv-01-ams3.facebook.com  (31.13.91.2:443)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to cluster003.ovh.net  (213.186.33.4:80)

TCP (HTTP):
Connects to 216-104-99-201.eastlink.ca  (216.104.99.201:80)

TCP (HTTP):
Connects to 108.168.240.194-static.reverse.softlayer.com  (108.168.240.194:80)

Remove client.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.