client.exe

Software Jockey

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Software Jockey has been detected as adware by 8 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software. While running, it connects to the Internet address server-52-84-126-205.iad16.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Software Jockey  (signed and verified)

MD5:
044594492c0c5d8dae35f5b4c787e78b

SHA-1:
c9c4be46c68c631525503debaed4351a7d393f4d

SHA-256:
de752dea0f2c1234c861ae119c4c0c6cec182eb891e7f5bf9f53e69f27ab8468

Scanner detections:
8 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/5/2024 5:45:29 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2015.0.3299

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.14116

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10676

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.2760

Malwarebytes
PUP.Optional.SoftJok
v2014.12.22.12

McAfee
Artemis!9CBD7602DB05
5600.6909

Reason Heuristics
PUP.SoftwareJockey.G
14.11.6.6

VIPRE Antivirus
AdKnowledge
34538

File size:
5.5 MB (5,751,528 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Common path:
C:\users\{user}\appdata\local\search extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
3/24/2014 1:00:00 AM

Valid to:
3/25/2015 12:59:59 AM

Subject:
CN=Software Jockey, O=Software Jockey, STREET="4600 Madison Ave, 10th FL", L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3481FC293A085AD3BA94D30DC9CC2E95

File PE Metadata
Compilation timestamp:
11/5/2014 8:41:22 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:LUVo2yz8Lfv+8r/ocWJYG/UfXlTvl6frk0tyhq7EIZlbmulmPA/1FDiLpwQ1Nbf0:NGEParcqx7FFVn1B0Pqjw

Entry address:
0x1D9D

Entry point:
E8, 7D, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 8F, 97, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 2F, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, DF, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 90, A4, 40, 00, E8, 43, 24, 00, 00, 6A, 0E, E8, 2F, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 84, 97, 00, BA, FC, 83, 97, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Code size:
25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-204-49-223.compute-1.amazonaws.com  (52.204.49.223:80)

TCP (HTTP):
Connects to a104-101-134-168.deploy.static.akamaitechnologies.com  (104.101.134.168:80)

TCP (HTTP):
Connects to ec2-54-165-188-245.compute-1.amazonaws.com  (54.165.188.245:80)

TCP (HTTP SSL):
Connects to ec2-52-20-120-15.compute-1.amazonaws.com  (52.20.120.15:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-kut2.fbcdn.net  (157.240.10.23:443)

TCP (HTTP SSL):
Connects to server-54-230-159-33.sin3.r.cloudfront.net  (54.230.159.33:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-kul1.facebook.com  (31.13.67.36:443)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-52-72-254-231.compute-1.amazonaws.com  (52.72.254.231:80)

TCP (HTTP SSL):
Connects to t6-ha.ycpi.sgb.yahoo.com  (119.161.11.151:443)

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (52.216.1.72:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to ec2-54-191-37-103.us-west-2.compute.amazonaws.com  (54.191.37.103:80)

TCP (HTTP):
Connects to a184-29-91-114.deploy.static.akamaitechnologies.com  (184.29.91.114:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-kul1.fbcdn.net  (31.13.67.7:443)

TCP (HTTP SSL):
Connects to w1.buysub.com  (198.176.166.187:443)

TCP (HTTP SSL):
Connects to TIG-Net17-16.trueintergateway.com  (27.123.17.16:443)

TCP (HTTP):
Connects to server-54-230-159-246.sin3.r.cloudfront.net  (54.230.159.246:80)

TCP (HTTP):
Connects to server-54-192-159-28.sin3.r.cloudfront.net  (54.192.159.28:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:443)

Remove client.exe - Powered by Reason Core Security