» client.exe
Overview
Analysis
File Details
Behaviors (1)
Network (47)

client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 49216 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address waws-prod-sn1-001.cloudapp.net on port 443.

File name:

client.exe

Publisher:

Joltlogic (signed and verified)

MD5:

d044c69d20a68d531a331d5ff0e46be3

SHA-1:

f07fa95565d57df05032c36463f1e48c0c91d5b5

SHA-256:

85438eab459b5c4db633f959cca22554045f39cad9de290316d0da12a645f17c

Scanner detections:

17 / 68

Status:

Adware

Explanation:

This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/26/2024 9:57:52 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.iBryte.8

751

Avira AntiVirus

ADWARE/iBryte.Gen4

7.11.201.124

avast!

Win32:Dropper-gen [Drp]

2014.9-150114

AVG

Generic

2016.0.3229

Baidu Antivirus

Adware.MSIL.iBryte

4.0.3.15114

Bitdefender

Gen:Variant.Adware.iBryte.8

1.0.20.70

Comodo Security

TrojWare.Win32.Injector.ABIP

20621

Emsisoft Anti-Malware

Gen:Variant.Adware.iBryte

8.15.01.14.11

ESET NOD32

MSIL/Adware.iBryte.S application

7.0.302.0

F-Secure

Gen:Variant.Adware.iBryte.8

11.2015-14-01_4

G Data

Gen:Variant.Adware.iBryte

15.1.24

MicroWorld eScan

Gen:Variant.Adware.iBryte.8

16.0.0.42

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

PUP.Joltlogic.G

15.1.14.20

Rising Antivirus

PE:Trojan.FakeIcon!1.64A5

23.00.65.15112

Sophos

Virus 'Mal/Wintrim-A'

5.09

VIPRE Antivirus

Threat.4798837

36468

File size:

1.8 MB (1,859,808 bytes)

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Adknowledge Fusion

Common path:

C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature

Signed by:

Joltlogic

Authority:

COMODO CA Limited

Valid from:

7/15/2014 8:00:00 PM

Valid to:

7/16/2015 7:59:59 PM

Subject:

CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

5EE011413A702F6705B25B34B674F3AB

File PE Metadata

Compilation timestamp:

1/14/2015 3:32:48 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:MJsU3XnyJ3oTetoKYkjzH/MrBRPiNXFlbX/MA8Wu/GYuX7AgCdmWJ8/ZnMMxV:TwjPdFwuW1mmWZ

Entry address:

0xCC67

Entry point:

E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 84, DD, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, 24, 70, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 24, 70, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 2C, 70, 49, 00, C3, 8B... 
[+]

Entropy:

6.0562

Code size:

123.5 KB (126,464 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:49216/

Local host port:

49216

Default credentials:

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to msnbot-65-55-252-43.search.msn.com (65.55.252.43:443)

TCP (HTTP):

Connects to a23-61-187-27.deploy.static.akamaitechnologies.com (23.61.187.27:80)

TCP (HTTP SSL):

Connects to us.redir.opera.com (107.167.110.234:443)

TCP (HTTP):

Connects to ec2-50-17-224-168.compute-1.amazonaws.com (50.17.224.168:80)

TCP (HTTP SSL):

Connects to yk-in-f139.1e100.net (74.125.196.139:443)

TCP (HTTP SSL):

Connects to yk-in-f101.1e100.net (74.125.196.101:443)

TCP (HTTP SSL):

Connects to www2.twitter.jp (199.59.149.201:443)

TCP (HTTP SSL):

Connects to waws-prod-sn1-001.cloudapp.net (191.238.240.12:443)

TCP (HTTP SSL):

Connects to waws-prod-blu-013.cloudapp.net (191.238.8.26:443)

TCP (HTTP SSL):

Connects to ssl.sc.opera.com (82.145.223.176:443)

TCP (HTTP SSL):

Connects to speeddials.opera.com (82.145.223.181:443)

TCP (HTTP):

Connects to snt-re3-8c.sjc.dropbox.com (108.160.162.107:80)

TCP (HTTP):

Connects to server-54-192-192-227.iad53.r.cloudfront.net (54.192.192.227:80)

TCP (HTTP SSL):

Connects to r-199-59-148-85.twttr.com (199.59.148.85:443)

TCP:

Connects to qa-in-f188.1e100.net (173.194.68.188:5228)

TCP (HTTP):

Connects to ord31s22-in-f2.1e100.net (216.58.216.226:80)

TCP (HTTP SSL):

Connects to ord31s21-in-f3.1e100.net (216.58.216.195:443)

TCP (HTTP SSL):

Connects to ord30s22-in-f14.1e100.net (216.58.216.110:443)

TCP (HTTP):

Connects to ord30s21-in-f2.1e100.net (216.58.216.66:80)

TCP (HTTP):

Connects to ord08s13-in-f18.1e100.net (173.194.46.114:80)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.