» client.exe
Overview
Analysis
File Details
Behaviors (1)
Network (133)

client.exe

Joltlogic

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Joltlogic has been detected as adware by 14 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49742 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.

File name:

client.exe

Publisher:

Joltlogic (signed and verified)

MD5:

4d1ab8433e6ae0fe0f41a759de599181

SHA-1:

dbcf2e3df94fffd2631a92381acafc34fd207ebd

SHA-256:

ee055fc6debb778f93b5e5d714cff0ac4df1a1bc6fec47cb88548aab060ffe7a

Scanner detections:

14 / 68

Status:

Adware

Explanation:

This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:

11/22/2024 9:01:31 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.iBryte.8

759

avast!

Win32:Dropper-gen [Drp]

2014.9-150114

AVG

Generic

2016.0.3237

Baidu Antivirus

Adware.MSIL.iBryte

4.0.3.15114

Bitdefender

Gen:Variant.Adware.iBryte.8

1.0.20.30

Comodo Security

TrojWare.Win32.Injector.ABIP

20621

Emsisoft Anti-Malware

Gen:Variant.Adware.iBryte

8.15.01.06.06

ESET NOD32

MSIL/Adware.iBryte (variant)

9.10972

F-Secure

Gen:Variant.Adware.iBryte.8

11.2015-06-01_3

G Data

Gen:Variant.Adware.iBryte

15.1.24

MicroWorld eScan

Gen:Variant.Adware.iBryte.8

16.0.0.18

Reason Heuristics

PUP.Joltlogic.G

15.1.6.18

Sophos

Mal/Wintrim-A

4.98

VIPRE Antivirus

AdKnowledge

36432

File size:

1.8 MB (1,882,336 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature

Signed by:

Joltlogic

Authority:

COMODO CA Limited

Valid from:

7/15/2014 7:00:00 PM

Valid to:

7/16/2015 6:59:59 PM

Subject:

CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

5EE011413A702F6705B25B34B674F3AB

File PE Metadata

Compilation timestamp:

1/6/2015 12:44:50 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:olSKpkTZrDHo/hfEtxmiEx1IzyaTIhaC23x/fsZuQ/5OZFypPRDKxAsL:/KpoFltoi7zt8hCfs9JpPRo

Entry address:

0xB967

Entry point:

E8, A3, 32, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, E4, 47, 4A, 00, FF, 15, 60, F0, 41, 00, 85, C0, 75, 18, 56, E8, 55, 33, 00, 00, 8B, F0, FF, 15, 5C, F0, 41, 00, 50, E8, 05, 33, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, D8, DB, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, D8, DB, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, E0, DB, 49, 00, C3, 8B... 
[+]

Entropy:

5.9771

Code size:

118 KB (120,832 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:49742/

Local host port:

49742

Default credentials:

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to vip1.g5.cachefly.net (205.234.175.175:443)

TCP (HTTP SSL):

Connects to a-0001.a-msedge.net (204.79.197.200:443)

TCP (HTTP):

Connects to ec2-54-235-170-110.compute-1.amazonaws.com (54.235.170.110:80)

TCP (HTTP):

Connects to ec2-54-208-30-101.compute-1.amazonaws.com (54.208.30.101:80)

TCP (HTTP):

Connects to ec2-54-225-162-60.compute-1.amazonaws.com (54.225.162.60:80)

TCP (HTTP):

Connects to ec2-54-221-254-214.compute-1.amazonaws.com (54.221.254.214:80)

TCP (HTTP SSL):

Connects to msnbot-65-55-252-43.search.msn.com (65.55.252.43:443)

TCP (HTTP):

Connects to ec2-23-23-122-91.compute-1.amazonaws.com (23.23.122.91:80)

TCP (HTTP SSL):

Connects to rtr3.l7.search.vip.ir2.yahoo.com (217.12.15.96:443)

TCP (HTTP):

Connects to a184-50-239-90.deploy.static.akamaitechnologies.com (184.50.239.90:80)

TCP (HTTP):

Connects to a184-50-239-66.deploy.static.akamaitechnologies.com (184.50.239.66:80)

TCP (HTTP SSL):

Connects to a-0011.a-msedge.net (204.79.197.213:443)

TCP (HTTP):

Connects to srv.g.ebay.com (66.211.181.31:80)

TCP (HTTP):

Connects to server-52-85-101-161.jfk1.r.cloudfront.net (52.85.101.161:80)

TCP (HTTP):

Connects to server-52-84-33-206.ewr50.r.cloudfront.net (52.84.33.206:80)

TCP (HTTP):

Connects to gha.g.ebay.com (66.211.184.152:80)

TCP (HTTP):

Connects to esupport.com (38.102.75.222:80)

TCP (HTTP):

Connects to ec2-54-210-5-2.compute-1.amazonaws.com (54.210.5.2:80)

TCP (HTTP):

Connects to ec2-54-209-210-98.compute-1.amazonaws.com (54.209.210.98:80)

TCP (HTTP):

Connects to ec2-54-154-66-200.eu-west-1.compute.amazonaws.com (54.154.66.200:80)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.