client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 7 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 49318 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address response.spilgames.com on port 80 using the HTTP protocol.
Publisher:
Joltlogic  (signed and verified)

MD5:
e10f50457b614aec0d1857000f7dca40

SHA-1:
5e83cb30ffafc5be3dfdc62bede71f3a03ee916f

SHA-256:
26b31305172bf68152903a344d615c0073bba2b14e0119a807a0e78bb8758e7b

Scanner detections:
7 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/27/2024 1:14:33 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.205.232

AVG
Generic
2016.0.3214

ESET NOD32
MSIL/Adware.iBryte (variant)
9.11094

Qihoo 360 Security
Win32/Virus.Adware.5a6
1.0.0.1015

Reason Heuristics
PUP.Adknowledge
15.1.29.23

Sophos
Mal/Wintrim-A
4.98

VIPRE Antivirus
AdKnowledge
37084

File size:
1.8 MB (1,893,088 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Common path:
C:\users\{user}\appdata\local\browser extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 8:00:00 PM

Valid to:
7/16/2015 7:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
1/29/2015 11:49:20 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:r5KXhuiVO654eG0R+rWbQYVei8nD4N1MqjhaMSpzCC3F3l0b9HuoBFMVBC9SMert:AuKxGiQYVqnqCplRGiVBC9U

Entry address:
0xD947

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, C4, 6B, 4A, 00, FF, 15, 60, 10, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 10, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, B0, F4, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, B0, F4, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, B8, F4, 49, 00, C3, 8B...
 
[+]

Entropy:
6.0325

Code size:
126.5 KB (129,536 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49318/

Local host port:
49318

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to a23-56-220-238.deploy.static.akamaitechnologies.com  (23.56.220.238:443)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP SSL):
Connects to a23-210-100-185.deploy.static.akamaitechnologies.com  (23.210.100.185:443)

TCP (HTTP):
Connects to ec2-50-17-224-168.compute-1.amazonaws.com  (50.17.224.168:80)

TCP (HTTP):
Connects to ec2-54-164-231-176.compute-1.amazonaws.com  (54.164.231.176:80)

TCP (HTTP):
Connects to ec2-52-3-190-48.compute-1.amazonaws.com  (52.3.190.48:80)

TCP (HTTP):
Connects to ec2-34-197-164-204.compute-1.amazonaws.com  (34.197.164.204:80)

TCP (HTTP):
Connects to ec2-23-23-122-91.compute-1.amazonaws.com  (23.23.122.91:80)

TCP (HTTP):
Connects to tg1-den.search.spotxchange.com  (198.54.12.96:80)

TCP (HTTP SSL):
Connects to server-54-230-87-193.lax3.r.cloudfront.net  (54.230.87.193:443)

TCP (HTTP):
Connects to server-52-84-239-60.sfo5.r.cloudfront.net  (52.84.239.60:80)

TCP (HTTP SSL):
Connects to a23-213-199-58.deploy.static.akamaitechnologies.com  (23.213.199.58:443)

TCP (HTTP SSL):
Connects to a184-85-71-49.deploy.static.akamaitechnologies.com  (184.85.71.49:443)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.82.154:80)

TCP (HTTP SSL):
Connects to li681-52.members.linode.com  (23.239.8.52:443)

TCP (HTTP):
Connects to ec2-54-83-200-155.compute-1.amazonaws.com  (54.83.200.155:80)

TCP (HTTP):
Connects to ec2-50-17-217-59.compute-1.amazonaws.com  (50.17.217.59:80)

TCP (HTTP SSL):
Connects to a96-16-219-45.deploy.akamaitechnologies.com  (96.16.219.45:443)

TCP (HTTP):
Connects to a23-72-137-154.deploy.static.akamaitechnologies.com  (23.72.137.154:80)

TCP (HTTP):
Connects to server-54-230-87-47.lax3.r.cloudfront.net  (54.230.87.47:80)

Remove client.exe - Powered by Reason Core Security