client.exe

Software Jockey

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Software Jockey has been detected as adware by 8 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 52272 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address host48-rangeA-akamai-aanp.cdn.bllon.isp.sky.com on port 80 using the HTTP protocol.
Publisher:
Software Jockey  (signed and verified)

MD5:
f7c5227f459ea07e8ca80a051de1a245

SHA-1:
49e883ebd67e65130919f664923d5e7e6a98bffb

SHA-256:
f4e35a3d1e04f79ed03408fd2ac00140407b881153883de575ac8736d16aaff7

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
11/5/2024 10:12:47 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3253

Baidu Antivirus
Adware.Win32.RocketTab
4.0.3.141222

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10701

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.2760

Malwarebytes
PUP.Optional.SoftJok
v2014.12.22.12

McAfee
Artemis!9CBD7602DB05
5600.6909

Reason Heuristics
PUP.SoftwareJockey.G
14.11.2.4

VIPRE Antivirus
Threat.4798837
34232

File size:
5.5 MB (5,751,528 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
3/24/2014 12:00:00 AM

Valid to:
3/24/2015 11:59:59 PM

Subject:
CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata
Compilation timestamp:
10/30/2014 12:45:09 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:hLjCh5T6tcxolQmFjGVmmmG9nX75XK399mYt3Z6iycVpig8nHzvnbpAor9HS/rgj:sBM5uqlPxs8R0lAj5a

Entry address:
0x1DAD

Entry point:
E8, 7D, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 8F, 97, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 2F, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, DF, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 90, A4, 40, 00, E8, 43, 24, 00, 00, 6A, 0E, E8, 2F, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 84, 97, 00, BA, FC, 83, 97, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.3649

Code size:
25.5 KB (26,112 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:52272/

Local host port:
52272

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to host48-rangeA-akamai-aanp.cdn.bllon.isp.sky.com  (176.255.202.48:80)

TCP (HTTP):
Connects to ec2-184-73-221-34.compute-1.amazonaws.com  (184.73.221.34:80)

TCP (HTTP):
Connects to ec2-107-20-216-14.compute-1.amazonaws.com  (107.20.216.14:80)

Remove client.exe - Powered by Reason Core Security