» client.exe
Overview
Analysis
File Details
Behaviors (1)
Network (7)

client.exe

Joltlogic

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Joltlogic has been detected as adware by 4 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49327 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address server-54-239-172-253.atl50.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

client.exe

Publisher:

Joltlogic (signed and verified)

MD5:

4eb115646d0b18a0d0a118cdb9e1c0f3

SHA-1:

1865c0e985c72d68dbf35af9b482ed7a98b70511

SHA-256:

cb61866a6b43c5b9ff87936a07609cfb99bb8a6abef6d676357991eadd7f8977

Scanner detections:

4 / 68

Status:

Adware

Explanation:

This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:

8/27/2024 2:52:01 AM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

MSIL/Adware.iBryte.I application

7.0.302.0

Panda Antivirus

Trj/Genetic.gen

14.12.06.04

Reason Heuristics

PUP.Joltlogic.G

14.12.6.16

VIPRE Antivirus

Threat.4798837

35418

File size:

3.4 MB (3,538,656 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature

Signed by:

Joltlogic

Authority:

COMODO CA Limited

Valid from:

7/15/2014 8:00:00 PM

Valid to:

7/16/2015 7:59:59 PM

Subject:

CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

5EE011413A702F6705B25B34B674F3AB

File PE Metadata

Compilation timestamp:

11/19/2014 8:32:41 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:IXBGp7axh9460jX5wSXyAtTi23IGr8UrSOZ3gFlmpy4/4Ktxdc4OmkDg5hQ6kV0A:IXBGp7axhOp5wSXyAtTn3IGYDQITzb

Entry address:

0x1D63

Entry point:

E8, 77, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, DF, 75, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 29, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, D9, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 50, A4, 40, 00, E8, 3D, 24, 00, 00, 6A, 0E, E8, 29, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, D4, 75, 00, BA, FC, D3, 75, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A... 
[+]

Entropy:

4.0955

Code size:

25.5 KB (26,112 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:49327/

Local host port:

49327

Default credentials:

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-239-172-253.atl50.r.cloudfront.net (54.239.172.253:80)

TCP (HTTP):

Connects to a23-62-184-125.deploy.static.akamaitechnologies.com (23.62.184.125:80)

TCP (HTTP):

Connects to a23-62-181-165.deploy.static.akamaitechnologies.com (23.62.181.165:80)

TCP (HTTP):

Connects to ec2-54-235-170-110.compute-1.amazonaws.com (54.235.170.110:80)

TCP (HTTP):

Connects to a72-246-56-72.deploy.akamaitechnologies.com (72.246.56.72:80)

TCP (HTTP):

Connects to a23-36-69-209.deploy.static.akamaitechnologies.com (23.36.69.209:80)

TCP (HTTP):

Connects to a23-36-68-125.deploy.static.akamaitechnologies.com (23.36.68.125:80)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.