» client.exe
Overview
Analysis
File Details
Programs (1)
Network (18)

client.exe

Software Jockey

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Software Jockey has been detected as adware by 8 anti-malware scanners. This file is typically installed with the program Rockettab by Rich River Media, LLC which is a potentially unwanted software program. While running, it connects to the Internet address channel-proxy-shv-06-ash2.facebook.com on port 443.

File name:

client.exe

Publisher:

Software Jockey (signed and verified)

MD5:

6aa41abc3265a64610ecc85645581e43

SHA-1:

d2d940a684a67b2c4ef3d6b675856d920d4ea89d

SHA-256:

9dcb03e314af2a3c52a41ea8fcdf51f155f35d3ee503b79ca77253984530ab61

Scanner detections:

8 / 68

Status:

Adware

Explanation:

This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:

5/27/2024 12:33:41 AM UTC (today)

Scan engine

Detection

Engine version

AVG

Generic

2015.0.3253

Baidu Antivirus

Adware.Win32.RocketTab

4.0.3.141222

ESET NOD32

MSIL/Adware.iBryte (variant)

8.10701

Kaspersky

not-a-virus:AdWare.MSIL.RocketTab

14.0.0.2760

Malwarebytes

PUP.Optional.SoftJok

v2014.12.22.12

McAfee

Artemis!9CBD7602DB05

5600.6909

Reason Heuristics

PUP.SoftwareJockey.G

14.10.30.21

VIPRE Antivirus

AdKnowledge

34676

File size:

5.5 MB (5,751,528 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\search extensions\client.exe

Digital Signature

Signed by:

Software Jockey

Authority:

COMODO CA Limited

Valid from:

3/23/2014 8:00:00 PM

Valid to:

3/24/2015 7:59:59 PM

Subject:

CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata

Compilation timestamp:

10/30/2014 2:00:30 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

49152:M3hZZQv3MrPOwC9nZLt9qUp+SxxNNZUCRGL:M3hZZFrOw+9t+

Entry address:

0x1D9D

Entry point:

E8, 7D, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 8F, 97, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 2F, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, DF, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 90, A4, 40, 00, E8, 43, 24, 00, 00, 6A, 0E, E8, 2F, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 84, 97, 00, BA, FC, 83, 97, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A... 
[+]

Entropy:

4.8108

Code size:

25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following program.

Rockettab by Rich River Media, LLC

RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.

rockettab.com

88% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to p3nlhg750c1750.shr.prod.phx3.secureserver.net (50.62.127.1:80)

TCP (HTTP):

Connects to ots.iad.optimize.webtrends.com (63.251.85.37:80)

TCP (HTTP):

Connects to iad23s25-in-f17.1e100.net (173.194.121.17:80)

TCP (HTTP):

Connects to edge-star-shv-09-iad1.facebook.com (31.13.69.128:80)

TCP (HTTP):

Connects to ec2-54-243-146-150.compute-1.amazonaws.com (54.243.146.150:80)

TCP (HTTP):

Connects to ec2-54-235-185-31.compute-1.amazonaws.com (54.235.185.31:80)

TCP (HTTP SSL):

Connects to channel-proxy-shv-06-ash2.facebook.com (173.252.102.24:443)

TCP (HTTP SSL):

Connects to bay407-m.hotmail.com (65.54.225.168:443)

TCP (HTTP):

Connects to a23-218-149-230.deploy.static.akamaitechnologies.com (23.218.149.230:80)

TCP (HTTP):

Connects to a23-218-128-196.deploy.static.akamaitechnologies.com (23.218.128.196:80)

TCP (HTTP):

Connects to a23-196-38-235.deploy.static.akamaitechnologies.com (23.196.38.235:80)

TCP (HTTP):

Connects to a23-0-160-8.deploy.static.akamaitechnologies.com (23.0.160.8:80)

TCP (HTTP):

Connects to a23-0-160-59.deploy.static.akamaitechnologies.com (23.0.160.59:80)

TCP (HTTP SSL):

Connects to a23-0-160-51.deploy.static.akamaitechnologies.com (23.0.160.51:443)

TCP (HTTP SSL):

Connects to a23-0-160-34.deploy.static.akamaitechnologies.com (23.0.160.34:443)

TCP (HTTP):

Connects to a23-0-160-11.deploy.static.akamaitechnologies.com (23.0.160.11:80)

TCP (HTTP):

Connects to a23-0-160-10.deploy.static.akamaitechnologies.com (23.0.160.10:80)

TCP (HTTP):

Connects to 173.192.220.64-static.reverse.softlayer.com (173.192.220.64:80)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.