client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 30 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 49211 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Publisher:
Joltlogic  (signed and verified)

MD5:
079ae5019b39cac34cf521cfb21a9b4b

SHA-1:
3a640ccb12217dd5c0c79e0e1af6d7bdeab3c543

SHA-256:
854cf25350175c2d8e2de2ca01d9967338b3d42df675f05c37a497879393840e

Scanner detections:
30 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
11/23/2024 7:55:34 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Ibryte.BP
5745058

Agnitum Outpost
PUA.Agent
7.1.1

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.206.252

Arcabit
Adware.Ibryte.BP
1.0.0.585

avast!
Win32:IBryte-JX [PUP]
151028-1

AVG
Generic
2016.0.3208

Bitdefender
Adware.Ibryte.BP
1.0.20.1250

Bkav FE
W32.HfsAdware
1.3.0.6379

Comodo Security
ApplicUnwnt
21639

Dr.Web
Trojan.iBryte.537
9.0.1.05190

Emsisoft Anti-Malware
Adware.Ibryte.BP
10.0.0.5366

ESET NOD32
Win32/Adware.iBryte.CD application
7.0.302.0

Fortinet FortiGate
MSIL/IBryte.A
9/7/2015

F-Secure
Adware.Ibryte.BP
5.15.21

G Data
Adware.Ibryte.BP
15.9.25

K7 AntiVirus
Adware
13.202.15480

McAfee
Trojan.Trojan-FGAP!079AE5019B39
18.0.204.0

MicroWorld eScan
Adware.Ibryte.BP
16.0.0.750

NANO AntiVirus
Trojan.Win32.Agent.dwtfsb
0.30.26.3947

Norman
Adware.Ibryte.BP
07.10.2015 03:16:12

nProtect
Adware.Ibryte.BP
15.04.03.01

Panda Antivirus
Trj/Genetic.gen
15.09.07.06

Qihoo 360 Security
Win32/Virus.Adware.5a6
1.0.0.1015

Reason Heuristics
PUP.Adknowledge
15.2.4.14

Rising Antivirus
PE:Malware.RDM.11!5.11[F1]
23.00.65.151108

Sophos
Virus 'Mal/Wintrim-A'
5.15

SUPERAntiSpyware
Adware.iBryte/Variant
9515

Trend Micro House Call
TROJ_GEN.R0C1C0RBG15
7.2.250

Trend Micro
TROJ_GEN.R0C1C0RBG15
10.465.07

VIPRE Antivirus
Threat.4798837
37240

File size:
1.7 MB (1,789,152 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Common path:
C:\users\{user}\appdata\local\browser extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 7:00:00 PM

Valid to:
7/16/2015 6:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
2/4/2015 11:41:04 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:1kw8lyHoZ1MJRBCQFOGtOwswQoBEhXU2LEYIx4/eI5G+I1W3s98ZM/:V+teZmL2YEeLC

Entry address:
0xCCC7

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 84, 66, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, FC, FA, 48, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, FC, FA, 48, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 04, FB, 48, 00, C3, 8B...
 
[+]

Entropy:
6.1059

Code size:
123.5 KB (126,464 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49211/

Local host port:
49211

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-239-172-162.atl50.r.cloudfront.net  (54.239.172.162:443)

TCP (HTTP):
Connects to ec2-54-80-54-32.compute-1.amazonaws.com  (54.80.54.32:80)

TCP (HTTP):
Connects to ec2-50-17-217-59.compute-1.amazonaws.com  (50.17.217.59:80)

TCP (HTTP):
Connects to 1d.2a.6132.ip4.static.sl-reverse.com  (50.97.42.29:80)

TCP (HTTP):
Connects to ec2-52-0-108-100.compute-1.amazonaws.com  (52.0.108.100:80)

TCP (HTTP):

TCP (HTTP):
Connects to rtas-adx-21.btrll.com  (162.208.22.34:80)

TCP (HTTP SSL):
Connects to 249.16.185.35.bc.googleusercontent.com  (35.185.16.249:443)

TCP (HTTP SSL):
Connects to 102.23.185.35.bc.googleusercontent.com  (35.185.23.102:443)

TCP (HTTP):
Connects to ec2-52-54-171-173.compute-1.amazonaws.com  (52.54.171.173:80)

TCP (HTTP):

TCP (HTTP):
Connects to 2b.3c.6132.ip4.static.sl-reverse.com  (50.97.60.43:80)

TCP (HTTP SSL):
Connects to r-92-44-234-77.ff.avast.com  (77.234.44.92:443)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-52-55-64-138.compute-1.amazonaws.com  (52.55.64.138:80)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.dca.yahoo.com  (69.147.92.12:443)

TCP (HTTP):
Connects to a23-219-162-90.deploy.static.akamaitechnologies.com  (23.219.162.90:80)

TCP (HTTP):
Connects to a104-92-22-172.deploy.static.akamaitechnologies.com  (104.92.22.172:80)

TCP (HTTP SSL):
Connects to a104-92-11-7.deploy.static.akamaitechnologies.com  (104.92.11.7:443)

TCP (HTTP):
Connects to ip-68-71-249-118.hosts.zerolag.com  (68.71.249.118:80)

Remove client.exe - Powered by Reason Core Security