client.exe

Joltlogic

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Joltlogic has been detected as adware by 14 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49742 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Publisher:
Joltlogic  (signed and verified)

MD5:
4d1ab8433e6ae0fe0f41a759de599181

SHA-1:
dbcf2e3df94fffd2631a92381acafc34fd207ebd

SHA-256:
ee055fc6debb778f93b5e5d714cff0ac4df1a1bc6fec47cb88548aab060ffe7a

Scanner detections:
14 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
9/25/2017 4:37:28 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.iBryte.8
759

avast!
Win32:Dropper-gen [Drp]
2014.9-150114

AVG
Generic
2016.0.3237

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.15114

Bitdefender
Gen:Variant.Adware.iBryte.8
1.0.20.30

Comodo Security
TrojWare.Win32.Injector.ABIP
20621

Emsisoft Anti-Malware
Gen:Variant.Adware.iBryte
8.15.01.06.06

ESET NOD32
MSIL/Adware.iBryte (variant)
9.10972

F-Secure
Gen:Variant.Adware.iBryte.8
11.2015-06-01_3

G Data
Gen:Variant.Adware.iBryte
15.1.24

MicroWorld eScan
Gen:Variant.Adware.iBryte.8
16.0.0.18

Reason Heuristics
PUP.Joltlogic.G
15.1.6.18

Sophos
Mal/Wintrim-A
4.98

VIPRE Antivirus
AdKnowledge
36432

File size:
1.8 MB (1,882,336 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 7:00:00 PM

Valid to:
7/16/2015 6:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
1/6/2015 12:44:50 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:olSKpkTZrDHo/hfEtxmiEx1IzyaTIhaC23x/fsZuQ/5OZFypPRDKxAsL:/KpoFltoi7zt8hCfs9JpPRo

Entry address:
0xB967

Entry point:
E8, A3, 32, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, E4, 47, 4A, 00, FF, 15, 60, F0, 41, 00, 85, C0, 75, 18, 56, E8, 55, 33, 00, 00, 8B, F0, FF, 15, 5C, F0, 41, 00, 50, E8, 05, 33, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, D8, DB, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, D8, DB, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, E0, DB, 49, 00, C3, 8B...
 
[+]

Entropy:
5.9771

Code size:
118 KB (120,832 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49742/

Local host port:
49742

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to vip1.g5.cachefly.net  (205.234.175.175:443)

TCP (HTTP SSL):
Connects to a-0001.a-msedge.net  (204.79.197.200:443)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to ec2-54-225-162-60.compute-1.amazonaws.com  (54.225.162.60:80)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP SSL):
Connects to msnbot-65-55-252-43.search.msn.com  (65.55.252.43:443)

TCP (HTTP):
Connects to ec2-23-23-122-91.compute-1.amazonaws.com  (23.23.122.91:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP):
Connects to a184-50-239-90.deploy.static.akamaitechnologies.com  (184.50.239.90:80)

TCP (HTTP):
Connects to a184-50-239-66.deploy.static.akamaitechnologies.com  (184.50.239.66:80)

TCP (HTTP SSL):
Connects to a-0011.a-msedge.net  (204.79.197.213:443)

TCP (HTTP):
Connects to srv.g.ebay.com  (66.211.181.31:80)

TCP (HTTP):
Connects to server-52-85-101-161.jfk1.r.cloudfront.net  (52.85.101.161:80)

TCP (HTTP):
Connects to server-52-84-33-206.ewr50.r.cloudfront.net  (52.84.33.206:80)

TCP (HTTP):
Connects to gha.g.ebay.com  (66.211.184.152:80)

TCP (HTTP):
Connects to esupport.com  (38.102.75.222:80)

TCP (HTTP):
Connects to ec2-54-210-5-2.compute-1.amazonaws.com  (54.210.5.2:80)

TCP (HTTP):
Connects to ec2-54-209-210-98.compute-1.amazonaws.com  (54.209.210.98:80)

TCP (HTTP):
Connects to ec2-54-154-66-200.eu-west-1.compute.amazonaws.com  (54.154.66.200:80)

Remove client.exe - Powered by Reason Core Security