Client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application Client.exe by Joltlogic has been detected as adware by 14 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 49196 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address w2.src.vip.bf1.yahoo.com on port 80 using the HTTP protocol.
Publisher:
Joltlogic  (signed and verified)

Version:
1.0.5476.25517

MD5:
62cfe43463542a3694df49be525c9784

SHA-1:
87e38d59f7a75cdc9c8351e97e46a627692d43fb

SHA-256:
700446b0621696960f6d35210341ea9d03785c0a920c5b8c48d7233b6cbf5543

Scanner detections:
14 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
12/24/2024 5:15:46 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.872672
8.3.2.2

avast!
Win32:IBryte-FV [PUP]
151024-0

AVG
Generic
2015.0.3245

Bkav FE
W32.HfsAdware
1.3.0.7237

Comodo Security
ApplicUnwnt
23370

Dr.Web
Trojan.iBryte.537
9.0.1.05190

ESET NOD32
MSIL/Adware.iBryte.F application
7.0.302.0

K7 AntiVirus
Adware
13.210.17454

McAfee
Trojan.GeniusBox!62CFE4346354
18.0.204.0

NANO AntiVirus
Trojan.Win32.Agent.dwtfsb
0.30.26.3947

Reason Heuristics
PUP.Joltlogic.G
14.12.29.17

Rising Antivirus
PE:Malware.RDM.32!5.26[F1]
23.00.65.151102

Sophos
Generic PUA IH (PUA)
4.98

VIPRE Antivirus
Threat.4798837
35418

File size:
852.2 KB (872,672 bytes)

Product version:
1.0.5476.25517

Original file name:
Client.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 6:00:00 PM

Valid to:
7/16/2015 5:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
12/29/2014 8:10:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:ZWYv291fsbwxFYkxP52Dns6JSkQTpYQ2:yzfUQ6JSN

Entry address:
0xD595A

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.3459

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
846.5 KB (866,816 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49196/

Local host port:
49196

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-235-186-78.compute-1.amazonaws.com  (54.235.186.78:80)

TCP (HTTP):
Connects to presentation-atl1.turn.com  (50.116.194.21:80)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to redirector1.dynect.net  (216.146.46.10:80)

TCP (HTTP):
Connects to ec2-54-72-47-163.eu-west-1.compute.amazonaws.com  (54.72.47.163:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to ec2-52-214-166-46.eu-west-1.compute.amazonaws.com  (52.214.166.46:80)

TCP (HTTP):
Connects to ec2-52-17-158-153.eu-west-1.compute.amazonaws.com  (52.17.158.153:80)

TCP (HTTP):
Connects to ec2-34-250-194-62.eu-west-1.compute.amazonaws.com  (34.250.194.62:80)

TCP (HTTP):
Connects to ec2-54-246-181-97.eu-west-1.compute.amazonaws.com  (54.246.181.97:80)

TCP (HTTP):
Connects to ec2-54-171-43-206.eu-west-1.compute.amazonaws.com  (54.171.43.206:80)

TCP (HTTP):
Connects to ec2-54-165-0-103.compute-1.amazonaws.com  (54.165.0.103:80)

TCP (HTTP):
Connects to ec2-52-72-229-167.compute-1.amazonaws.com  (52.72.229.167:80)

TCP (HTTP):

TCP (HTTP):
Connects to a104-112-254-111.deploy.static.akamaitechnologies.com  (104.112.254.111:80)

TCP (HTTP):
Connects to 208.185.50.80.IPYX-063360-004-ZYO.zip.zayo.com  (208.185.50.80:80)

TCP (HTTP):
Connects to 200.53.197.104.bc.googleusercontent.com  (104.197.53.200:80)

TCP (HTTP):
Connects to w2.src.vip.bf1.yahoo.com  (74.6.50.150:80)

TCP (HTTP):
Connects to server-54-230-206-166.atl50.r.cloudfront.net  (54.230.206.166:80)

TCP (HTTP SSL):
Connects to server-54-230-206-152.atl50.r.cloudfront.net  (54.230.206.152:443)

Remove Client.exe - Powered by Reason Core Security