» client.exe
Overview
Analysis
File Details
Behaviors (1)
Network (45)

client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 1132 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address server-54-230-141-177.sfo5.r.cloudfront.net on port 443.

File name:

client.exe

Publisher:

Joltlogic (signed and verified)

MD5:

a4a054c8eaea8cf0e94174e89da1c6d4

SHA-1:

6bb273caab44211ec07ac9812d234b88a3156ffe

Scanner detections:

8 / 68

Status:

Adware

Explanation:

This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

4/20/2024 2:34:25 AM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

ADWARE/iBryte.Gen4

7.11.205.178

AVG

Generic

2016.0.3215

Comodo Security

ApplicUnwnt

20874

ESET NOD32

MSIL/Adware.iBryte (variant)

9.11086

Qihoo 360 Security

Win32/Virus.Adware.5a6

1.0.0.1015

Reason Heuristics

PUP.Adknowledge

15.1.28.14

Sophos

Mal/Wintrim-A

4.98

VIPRE Antivirus

AdKnowledge

37040

File size:

1.7 MB (1,817,824 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Adknowledge Fusion

Common path:

C:\Documents and Settings\{user}\Application data\browser extensions\client.exe

Digital Signature

Signed by:

Joltlogic

Authority:

COMODO CA Limited

Valid from:

7/15/2014 5:00:00 PM

Valid to:

7/16/2015 4:59:59 PM

Subject:

CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

5EE011413A702F6705B25B34B674F3AB

File PE Metadata

Compilation timestamp:

1/27/2015 3:46:05 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:VkftmrJQSCAB6Awx6yxizJMob+KJ/+UVhjbZ+Qc9sZ19KFXNBPiX3tz9/uTk8ekN:VkfsrJQSb6xyEb4DLKhL6X99mTWJ

Entry address:

0xC657

Entry point:

E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, E4, 4B, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, 48, D5, 48, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 48, D5, 48, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 50, D5, 48, 00, C3, 8B... 
[+]

Entropy:

6.0845

Code size:

122 KB (124,928 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:1132/

Local host port:

1132

Default credentials:

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-52-206-93-196.compute-1.amazonaws.com (52.206.93.196:80)

TCP (HTTP):

Connects to server-52-84-239-178.sfo5.r.cloudfront.net (52.84.239.178:80)

TCP (HTTP):

Connects to s3-1-w.amazonaws.com (52.216.1.112:80)

TCP (HTTP):

Connects to ec2-54-208-30-101.compute-1.amazonaws.com (54.208.30.101:80)

TCP (HTTP):

Connects to ec2-50-17-217-59.compute-1.amazonaws.com (50.17.217.59:80)

TCP (HTTP):

Connects to ec2-54-221-254-214.compute-1.amazonaws.com (54.221.254.214:80)

TCP (HTTP SSL):

Connects to client.v.dropbox.com (108.160.172.236:443)

TCP (HTTP SSL):

Connects to yk-in-f139.1e100.net (74.125.196.139:443)

TCP (HTTP):

Connects to UNKNOWN-68-142-253-X.yahoo.com (68.142.253.73:80)

TCP (HTTP):

Connects to server-54-230-5-230.dfw3.r.cloudfront.net (54.230.5.230:80)

TCP (HTTP):

Connects to server-54-230-141-179.sfo5.r.cloudfront.net (54.230.141.179:80)

TCP (HTTP SSL):

Connects to server-54-230-141-177.sfo5.r.cloudfront.net (54.230.141.177:443)

TCP (HTTP):

Connects to server-54-230-141-127.sfo5.r.cloudfront.net (54.230.141.127:80)

TCP (HTTP SSL):

Connects to server-54-192-37-57.jfk1.r.cloudfront.net (54.192.37.57:443)

TCP (HTTP):

Connects to server-52-84-239-218.sfo5.r.cloudfront.net (52.84.239.218:80)

TCP (HTTP):

Connects to server-52-84-239-144.sfo5.r.cloudfront.net (52.84.239.144:80)

TCP (HTTP):

Connects to s3-1.amazonaws.com (52.216.2.43:80)

TCP (HTTP):

Connects to p3slh051.shr.phx3.secureserver.net (68.178.254.202:80)

TCP (HTTP SSL):

Connects to msnbot-65-55-252-43.search.msn.com (65.55.252.43:443)

TCP (HTTP SSL):

Connects to mrs04s10-in-f14.1e100.net (216.58.210.238:443)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.