home

client.exe

Software Jockey

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Software Jockey has been detected as adware by 18 anti-malware scanners. This file is typically installed with the program Rockettab by Rich River Media, LLC which is a potentially unwanted software program.
Publisher:
Software Jockey  (signed and verified)

MD5:
d7a3bf95037f203f342b15ff1e1461fa

SHA-1:
5501aa4786edce1a0352914a53d041b4c82980e8

SHA-256:
29575c97f01e06ea6aeef2349f5483e332f0345cd5d63a30e0b850ac2ae01f3f

Scanner detections:
18 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
11/26/2024 9:58:55 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.164387
797

avast!
Win32:Adware-CBG [PUP]
2014.9-141130

AVG
Generic
2015.0.3294

Baidu Antivirus
Adware.Win32.RocketTab
4.0.3.141110

Bitdefender
Gen:Variant.Adware.Graftor.164387
1.0.20.1670

Emsisoft Anti-Malware
Gen:Variant.Adware.Graftor.164387
8.14.11.30.12

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10701

F-Secure
Gen:Variant.Adware.Graftor.164387
11.2014-30-11_1

G Data
Gen:Variant.Adware.Graftor.164387
14.11.24

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.2966

McAfee
Artemis!45804C006E6C
5600.6931

MicroWorld eScan
Gen:Variant.Adware.Graftor.164387
15.0.0.1002

Panda Antivirus
Trj/Genetic.gen
14.11.30.12

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.SoftwareJockey.G
14.11.10.19

Sophos
iBryte Desktop
4.98

Trend Micro House Call
TROJ_GEN.R047H09KS14
7.2.334

VIPRE Antivirus
AdKnowledge
34678

File size:
5.5 MB (5,811,432 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

Digital Signature
Signed by:
Software Jockey

Authority:
COMODO CA Limited

Valid from:
3/23/2014 5:00:00 PM

Valid to:
3/24/2015 4:59:59 PM

Subject:
CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata
Compilation timestamp:
11/10/2014 9:11:56 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:8tKaLcQgyax8ktyXpdTnGSF6lFvJKjlk3vu1rNsdOO9ymB5UQsu4xg1T5sx0aLGc:MN5k8k9XsVEeQX+Kjq35q+CAznyOaha

Entry address:
0x1E9F

Entry point:
E8, 3B, 27, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 77, 98, 00, FF, 15, 3C, 80, 40, 00, 85, C0, 75, 18, 56, E8, ED, 27, 00, 00, 8B, F0, FF, 15, 38, 80, 40, 00, 50, E8, 9D, 27, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, B0, A4, 40, 00, E8, 01, 25, 00, 00, 6A, 0E, E8, ED, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 6C, 98, 00, BA, FC, 6B, 98, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.0331

Code size:
25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following program.

Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to msnbot-65-55-252-43.search.msn.com  (65.55.252.43:443)

TCP (HTTP):
Connects to fm-dyn-111-94-254-40.fast.net.id  (111.94.254.40:80)

TCP (HTTP):
Connects to ec2-50-17-224-168.compute-1.amazonaws.com  (50.17.224.168:80)

TCP (HTTP):
Connects to a23-212-128-59.deploy.static.akamaitechnologies.com  (23.212.128.59:80)

TCP (HTTP):
Connects to a23-212-120-235.deploy.static.akamaitechnologies.com  (23.212.120.235:80)

TCP (HTTP):
Connects to a184-26-22-20.deploy.static.akamaitechnologies.com  (184.26.22.20:80)

TCP (HTTP):
Connects to wg-in-f95.1e100.net  (173.194.78.95:80)

TCP (HTTP):
Connects to wg-in-f138.1e100.net  (173.194.78.138:80)

TCP (HTTP):
Connects to sjd-rb12-8b.sjc.dropbox.com  (108.160.166.30:80)

TCP (HTTP SSL):
Connects to server-54-192-138-233.lax1.r.cloudfront.net  (54.192.138.233:443)

TCP (HTTP SSL):
Connects to r-199-59-150-46.twttr.com  (199.59.150.46:443)

TCP (HTTP SSL):
Connects to pe-in-f95.1e100.net  (74.125.20.95:443)

TCP (HTTP SSL):
Connects to pe-in-f116.1e100.net  (74.125.20.116:443)

TCP (HTTP SSL):
Connects to nuq04s19-in-f7.1e100.net  (74.125.239.39:443)

TCP (HTTP):
Connects to lhr14s23-in-f19.1e100.net  (74.125.230.83:80)

TCP (HTTP):
Connects to lhr14s23-in-f13.1e100.net  (74.125.230.77:80)

TCP (HTTP):
Connects to lhr14s23-in-f12.1e100.net  (74.125.230.76:80)

Remove client.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.