client.exe

Software Jockey

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Software Jockey has been detected as adware by 16 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 52250 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software.
Publisher:
Software Jockey  (signed and verified)

MD5:
7e910a87ec6fb21d0a65a047ada02e91

SHA-1:
af0f4f195e59921ca9e8a03de17fdb6198de113a

SHA-256:
3fbad46f6ec13e664eddb3c44779d7c929b624f8099ffad12adb4692e7dac4a0

Scanner detections:
16 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
11/24/2017 11:40:03 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.164387
797

avast!
Win32:Adware-CBG [PUP]
2014.9-141130

Bitdefender
Gen:Variant.Adware.Graftor.164387
1.0.20.1670

Emsisoft Anti-Malware
Gen:Variant.Adware.Graftor.164387
8.14.11.30.12

F-Secure
Gen:Variant.Adware.Graftor.164387
11.2014-30-11_1

G Data
Gen:Variant.Adware.Graftor.164387
14.11.24

K7 Gateway Antivirus
Riskware
13.186.14186

McAfee
Artemis!45804C006E6C
5600.6931

McAfee Web Gateway
Artemis
7.6931

MicroWorld eScan
Gen:Variant.Adware.Graftor.164387
15.0.0.1002

Panda Antivirus
Trj/Genetic.gen
14.11.30.12

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.SoftwareJockey.G
14.10.31.5

Sophos
iBryte Desktop
4.98

Trend Micro House Call
TROJ_GEN.R047H09KS14
7.2.334

VIPRE Antivirus
AdKnowledge
34388

File size:
5.5 MB (5,751,528 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
3/23/2014 8:00:00 PM

Valid to:
3/24/2015 7:59:59 PM

Subject:
CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata
Compilation timestamp:
10/30/2014 4:06:01 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:rdrGz0z4qygoBIb+8UBMn0yiOd8UqqmSl7Zy1wACiNRZs/I7tj0J/nSpNmO+hroi:Bx

Entry address:
0x1E8F

Entry point:
E8, 3B, 27, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 8F, 97, 00, FF, 15, 3C, 80, 40, 00, 85, C0, 75, 18, 56, E8, ED, 27, 00, 00, 8B, F0, FF, 15, 38, 80, 40, 00, 50, E8, 9D, 27, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, B0, A4, 40, 00, E8, 01, 25, 00, 00, 6A, 0E, E8, ED, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 84, 97, 00, BA, FC, 83, 97, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
3.5556

Code size:
25.5 KB (26,112 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:52250/

Local host port:
52250

Default credentials:
No


The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to yyz08s13-in-f30.1e100.net  (74.125.226.126:443)

TCP (HTTP):
Connects to server-54-230-103-229.iad2.r.cloudfront.net  (54.230.103.229:80)

TCP (HTTP):
Connects to server-54-230-103-112.iad2.r.cloudfront.net  (54.230.103.112:80)

TCP (HTTP):
Connects to server-54-230-102-253.iad2.r.cloudfront.net  (54.230.102.253:80)

TCP (HTTP):
Connects to server-54-230-102-237.iad2.r.cloudfront.net  (54.230.102.237:80)

TCP (HTTP):
Connects to segserv-21.btrll.com  (162.208.21.166:80)

TCP (HTTP SSL):
Connects to s3-1-w.amazonaws.com  (54.231.12.49:443)

TCP (HTTP):
Connects to rtbe-s2.pipelane.net  (38.126.130.215:80)

TCP (HTTP SSL):
Connects to rio01s07-in-f21.1e100.net  (173.194.119.21:443)

TCP (HTTP SSL):
Connects to r-092-044-234-077.ff.avast.com  (77.234.44.92:443)

TCP (HTTP):
Connects to presentation-atl1.turn.com  (50.116.194.21:80)

TCP (HTTP):
Connects to pr-east.pbp.vip.bf1.yahoo.com  (98.139.225.168:80)

TCP (HTTP SSL):
Connects to msnbot-65-55-252-43.search.msn.com  (65.55.252.43:443)

TCP (HTTP):
Connects to mhext-21.btrll.com  (162.208.21.167:80)

TCP (HTTP):
Connects to lga15s45-in-f28.1e100.net  (74.125.226.188:80)

TCP (HTTP):
Connects to lga15s45-in-f27.1e100.net  (74.125.226.187:80)

TCP (HTTP):
Connects to lga15s45-in-f25.1e100.net  (74.125.226.185:80)

TCP (HTTP SSL):
Connects to lax02s21-in-f5.1e100.net  (216.58.216.5:443)

TCP (HTTP SSL):
Connects to iad23s07-in-f8.1e100.net  (74.125.228.72:443)

TCP (HTTP):
Connects to gd.ads.vip.gq1.yahoo.com  (98.137.170.33:80)

Remove client.exe - Powered by Reason Core Security