client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 1132 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address server-54-230-141-177.sfo5.r.cloudfront.net on port 443.
Publisher:
Joltlogic  (signed and verified)

MD5:
a4a054c8eaea8cf0e94174e89da1c6d4

SHA-1:
6bb273caab44211ec07ac9812d234b88a3156ffe

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/27/2024 3:41:39 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.205.178

AVG
Generic
2016.0.3215

Comodo Security
ApplicUnwnt
20874

ESET NOD32
MSIL/Adware.iBryte (variant)
9.11086

Qihoo 360 Security
Win32/Virus.Adware.5a6
1.0.0.1015

Reason Heuristics
PUP.Adknowledge
15.1.28.14

Sophos
Mal/Wintrim-A
4.98

VIPRE Antivirus
AdKnowledge
37040

File size:
1.7 MB (1,817,824 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Common path:
C:\Documents and Settings\{user}\Application data\browser extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 5:00:00 PM

Valid to:
7/16/2015 4:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
1/27/2015 3:46:05 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:VkftmrJQSCAB6Awx6yxizJMob+KJ/+UVhjbZ+Qc9sZ19KFXNBPiX3tz9/uTk8ekN:VkfsrJQSb6xyEb4DLKhL6X99mTWJ

Entry address:
0xC657

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, E4, 4B, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, 48, D5, 48, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 48, D5, 48, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 50, D5, 48, 00, C3, 8B...
 
[+]

Entropy:
6.0845

Code size:
122 KB (124,928 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:1132/

Local host port:
1132

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-206-93-196.compute-1.amazonaws.com  (52.206.93.196:80)

TCP (HTTP):
Connects to server-52-84-239-178.sfo5.r.cloudfront.net  (52.84.239.178:80)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.1.112:80)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to ec2-50-17-217-59.compute-1.amazonaws.com  (50.17.217.59:80)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP SSL):
Connects to client.v.dropbox.com  (108.160.172.236:443)

TCP (HTTP SSL):
Connects to yk-in-f139.1e100.net  (74.125.196.139:443)

TCP (HTTP):
Connects to UNKNOWN-68-142-253-X.yahoo.com  (68.142.253.73:80)

TCP (HTTP):
Connects to server-54-230-5-230.dfw3.r.cloudfront.net  (54.230.5.230:80)

TCP (HTTP):
Connects to server-54-230-141-179.sfo5.r.cloudfront.net  (54.230.141.179:80)

TCP (HTTP SSL):
Connects to server-54-230-141-177.sfo5.r.cloudfront.net  (54.230.141.177:443)

TCP (HTTP):
Connects to server-54-230-141-127.sfo5.r.cloudfront.net  (54.230.141.127:80)

TCP (HTTP SSL):
Connects to server-54-192-37-57.jfk1.r.cloudfront.net  (54.192.37.57:443)

TCP (HTTP):
Connects to server-52-84-239-218.sfo5.r.cloudfront.net  (52.84.239.218:80)

TCP (HTTP):
Connects to server-52-84-239-144.sfo5.r.cloudfront.net  (52.84.239.144:80)

TCP (HTTP):
Connects to s3-1.amazonaws.com  (52.216.2.43:80)

TCP (HTTP):
Connects to p3slh051.shr.phx3.secureserver.net  (68.178.254.202:80)

TCP (HTTP SSL):
Connects to msnbot-65-55-252-43.search.msn.com  (65.55.252.43:443)

TCP (HTTP SSL):
Connects to mrs04s10-in-f14.1e100.net  (216.58.210.238:443)

Remove client.exe - Powered by Reason Core Security