client.exe

Joltlogic

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application client.exe by Joltlogic has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This executable runs as a local area network (LAN) Internet proxy server listening on port 49216 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address waws-prod-sn1-001.cloudapp.net on port 443.
Publisher:
Joltlogic  (signed and verified)

MD5:
d044c69d20a68d531a331d5ff0e46be3

SHA-1:
f07fa95565d57df05032c36463f1e48c0c91d5b5

SHA-256:
85438eab459b5c4db633f959cca22554045f39cad9de290316d0da12a645f17c

Scanner detections:
17 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:
11/24/2024 5:21:31 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.iBryte.8
751

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.201.124

avast!
Win32:Dropper-gen [Drp]
2014.9-150114

AVG
Generic
2016.0.3229

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.15114

Bitdefender
Gen:Variant.Adware.iBryte.8
1.0.20.70

Comodo Security
TrojWare.Win32.Injector.ABIP
20621

Emsisoft Anti-Malware
Gen:Variant.Adware.iBryte
8.15.01.14.11

ESET NOD32
MSIL/Adware.iBryte.S application
7.0.302.0

F-Secure
Gen:Variant.Adware.iBryte.8
11.2015-14-01_4

G Data
Gen:Variant.Adware.iBryte
15.1.24

MicroWorld eScan
Gen:Variant.Adware.iBryte.8
16.0.0.42

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Joltlogic.G
15.1.14.20

Rising Antivirus
PE:Trojan.FakeIcon!1.64A5
23.00.65.15112

Sophos
Virus 'Mal/Wintrim-A'
5.09

VIPRE Antivirus
Threat.4798837
36468

File size:
1.8 MB (1,859,808 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Common path:
C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/15/2014 8:00:00 PM

Valid to:
7/16/2015 7:59:59 PM

Subject:
CN=Joltlogic, O=Joltlogic, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
5EE011413A702F6705B25B34B674F3AB

File PE Metadata
Compilation timestamp:
1/14/2015 3:32:48 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:MJsU3XnyJ3oTetoKYkjzH/MrBRPiNXFlbX/MA8Wu/GYuX7AgCdmWJ8/ZnMMxV:TwjPdFwuW1mmWZ

Entry address:
0xCC67

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 84, DD, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, 24, 70, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 24, 70, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 2C, 70, 49, 00, C3, 8B...
 
[+]

Entropy:
6.0562

Code size:
123.5 KB (126,464 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49216/

Local host port:
49216

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to msnbot-65-55-252-43.search.msn.com  (65.55.252.43:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to us.redir.opera.com  (107.167.110.234:443)

TCP (HTTP):
Connects to ec2-50-17-224-168.compute-1.amazonaws.com  (50.17.224.168:80)

TCP (HTTP SSL):
Connects to yk-in-f139.1e100.net  (74.125.196.139:443)

TCP (HTTP SSL):
Connects to yk-in-f101.1e100.net  (74.125.196.101:443)

TCP (HTTP SSL):
Connects to www2.twitter.jp  (199.59.149.201:443)

TCP (HTTP SSL):
Connects to waws-prod-sn1-001.cloudapp.net  (191.238.240.12:443)

TCP (HTTP SSL):
Connects to waws-prod-blu-013.cloudapp.net  (191.238.8.26:443)

TCP (HTTP SSL):
Connects to ssl.sc.opera.com  (82.145.223.176:443)

TCP (HTTP SSL):
Connects to speeddials.opera.com  (82.145.223.181:443)

TCP (HTTP):
Connects to snt-re3-8c.sjc.dropbox.com  (108.160.162.107:80)

TCP (HTTP):
Connects to server-54-192-192-227.iad53.r.cloudfront.net  (54.192.192.227:80)

TCP (HTTP SSL):
Connects to r-199-59-148-85.twttr.com  (199.59.148.85:443)

TCP:
Connects to qa-in-f188.1e100.net  (173.194.68.188:5228)

TCP (HTTP):
Connects to ord31s22-in-f2.1e100.net  (216.58.216.226:80)

TCP (HTTP SSL):
Connects to ord31s21-in-f3.1e100.net  (216.58.216.195:443)

TCP (HTTP SSL):
Connects to ord30s22-in-f14.1e100.net  (216.58.216.110:443)

TCP (HTTP):
Connects to ord30s21-in-f2.1e100.net  (216.58.216.66:80)

TCP (HTTP):
Connects to ord08s13-in-f18.1e100.net  (173.194.46.114:80)

Remove client.exe - Powered by Reason Core Security