client.exe

Joltlogic

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Joltlogic has been detected as adware by 4 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49327 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address server-54-239-172-253.atl50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Joltlogic  (signed and verified)

MD5:
4eb115646d0b18a0d0a118cdb9e1c0f3

SHA-1:
1865c0e985c72d68dbf35af9b482ed7a98b70511

SHA-256:
cb61866a6b43c5b9ff87936a07609cfb99bb8a6abef6d676357991eadd7f8977

Scanner detections:
4 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
12/27/2024 9:36:49 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/Adware.iBryte.I application
7.0.302.0

Panda Antivirus
Trj/Genetic.gen
14.12.06.04

Reason Heuristics
PUP.Joltlogic.G
14.12.6.16

VIPRE Antivirus
Threat.4798837
35418

File size:
3.4 MB (3,538,656 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 8:00:00 PM

Valid to:
7/16/2015 7:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
11/19/2014 8:32:41 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:IXBGp7axh9460jX5wSXyAtTi23IGr8UrSOZ3gFlmpy4/4Ktxdc4OmkDg5hQ6kV0A:IXBGp7axhOp5wSXyAtTn3IGYDQITzb

Entry address:
0x1D63

Entry point:
E8, 77, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, DF, 75, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 29, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, D9, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 50, A4, 40, 00, E8, 3D, 24, 00, 00, 6A, 0E, E8, 29, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, D4, 75, 00, BA, FC, D3, 75, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.0955

Code size:
25.5 KB (26,112 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49327/

Local host port:
49327

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-239-172-253.atl50.r.cloudfront.net  (54.239.172.253:80)

TCP (HTTP):
Connects to a23-62-184-125.deploy.static.akamaitechnologies.com  (23.62.184.125:80)

TCP (HTTP):
Connects to a23-62-181-165.deploy.static.akamaitechnologies.com  (23.62.181.165:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to a72-246-56-72.deploy.akamaitechnologies.com  (72.246.56.72:80)

TCP (HTTP):

TCP (HTTP):

Remove client.exe - Powered by Reason Core Security