client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 12 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 49337 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address 89.240.178.107.bc.googleusercontent.com on port 443.
Publisher:
Joltlogic  (signed and verified)

MD5:
448deb5ad3e094ec47f6e5ec397764a4

SHA-1:
f8ee33236c8d5b6e913c50b937478cfa1593fc9c

SHA-256:
af51a560be1af7ad18ce4d2242fb5b566db074d53f0b623b463609b02fd5b3ec

Scanner detections:
12 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/21/2017 3:40:13 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.211.202

avast!
Win32:IBryte-JX [PUP]
150203-1

AVG
Generic
2016.0.3192

Bkav FE
W32.HfsAdware
1.3.0.6379

ESET NOD32
MSIL/Adware.iBryte.S application
7.0.302.0

Kaspersky
not-a-virus:AdWare.Win32.iBryte
15.0.0.543

McAfee
Trojan.Artemis!448DEB5AD3E0
16.8.708.2

McAfee Web Gateway
Artemis
7.6848

Qihoo 360 Security
Win32/Virus.Adware.5a6
1.0.0.1015

Reason Heuristics
PUP.Adknowledge
15.2.20.23

Sophos
Virus 'Mal/Wintrim-A'
5.10

VIPRE Antivirus
Threat.4798837
37588

File size:
1.7 MB (1,794,784 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Common path:
C:\users\{user}\appdata\local\browser extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 8:00:00 PM

Valid to:
7/16/2015 7:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
2/20/2015 9:52:25 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:xrFfQJci9P+YpBY+CUhyToYfS+Tksb5VpzztRLq8sTowVw5SNWNdZH1EnoZ:VdiXif3fXTddHqhUhn

Entry address:
0xCAD7

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, A4, 77, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, F4, 0F, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, F4, 0F, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, FC, 0F, 49, 00, C3, 8B...
 
[+]

Entropy:
6.0999

Code size:
123 KB (125,952 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49337/

Local host port:
49337

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-50-17-224-168.compute-1.amazonaws.com  (50.17.224.168:80)

TCP (HTTP):
Connects to server-54-230-87-157.lax3.r.cloudfront.net  (54.230.87.157:80)

TCP (HTTP):
Connects to ec2-54-83-200-155.compute-1.amazonaws.com  (54.83.200.155:80)

TCP (HTTP):
Connects to ec2-54-72-47-163.eu-west-1.compute.amazonaws.com  (54.72.47.163:80)

TCP (HTTP):
Connects to ec2-23-23-122-91.compute-1.amazonaws.com  (23.23.122.91:80)

TCP (HTTP SSL):
Connects to dub407-m.hotmail.com  (157.56.194.24:443)

TCP (HTTP):
Connects to c0.a2.2ca9.ip4.static.sl-reverse.com  (169.44.162.192:80)

TCP (HTTP SSL):
Connects to bn2b-cor003.api.p001.1drv.com  (131.253.14.230:443)

TCP (HTTP):
Connects to ec2-52-3-190-48.compute-1.amazonaws.com  (52.3.190.48:80)

TCP (HTTP):
Connects to server-54-230-87-70.lax3.r.cloudfront.net  (54.230.87.70:80)

TCP (HTTP):
Connects to server-54-230-87-48.lax3.r.cloudfront.net  (54.230.87.48:80)

TCP (HTTP):
Connects to server-54-230-87-156.lax3.r.cloudfront.net  (54.230.87.156:80)

TCP (HTTP SSL):
Connects to server-54-192-19-47.iad12.r.cloudfront.net  (54.192.19.47:443)

TCP (HTTP):
Connects to server-52-85-77-92.lax3.r.cloudfront.net  (52.85.77.92:80)

TCP (HTTP SSL):
Connects to server-52-85-77-89.lax3.r.cloudfront.net  (52.85.77.89:443)

TCP (HTTP SSL):
Connects to server-52-85-147-119.iad12.r.cloudfront.net  (52.85.147.119:443)

TCP (HTTP):
Connects to s3-1.amazonaws.com  (52.216.1.3:80)

TCP (HTTP):
Connects to l3dsr-cserv-um-21.iad3.btrll.com  (162.208.22.39:80)

TCP (HTTP SSL):
Connects to java.com.ssl.d1.sc.omtrdc.net  (66.235.145.8:443)

Remove client.exe - Powered by Reason Core Security