File name:

dawntained_client.jar

Full analysis: https://app.any.run/tasks/3d5d5c96-d1c6-4805-bdc2-68acaee32adf
Verdict: Malicious activity
Analysis date: April 07, 2019, 01:14:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

52EB03770E85D98487740A364B7E0BA3

SHA1:

83DBB0B5329C08C3DE17D6AF0F3194AAF9256446

SHA256:

CFD403DB15547781CC3E6E3E8F6ED0E347ABDD11AAC55DD0A51C240FA837342D

SSDEEP:

98304:/skjlI5gFMrM0X7VkryV8SZaGWK28YyZW5Rksi+0+WXM8Y1E:0h5n7myiCL2eZW5Rksi+N8Y1E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 3576)

  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 3576)

    • Executes scripts

      • cmd.exe (PID: 3984)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 2516)
      • cmd.exe (PID: 2876)

    • Connects to unusual port

      • javaw.exe (PID: 3576)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3576)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3576)

    • Checks for external IP

      • javaw.exe (PID: 3576)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:04 15:00:22
ZipCRC: 0x2db8e7ef
ZipCompressedSize: 56
ZipUncompressedSize: 56
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe cmd.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928cscript.exe C:\Users\admin\AppData\Local\Temp\jwmi.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1016cmd.exe /C "echo %TEMP%"C:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1024cscript.exe C:\Users\admin\AppData\Local\Temp\jwmi.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2088cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\jwmi.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2516cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\jwmi.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2616cscript.exe C:\Users\admin\AppData\Local\Temp\jwmi.vbsC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2876cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\jwmi.vbsC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3288cmd.exe /C "echo %TEMP%"C:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3528wmic bios get serialnumberC:\Windows\System32\Wbem\wmic.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3576"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\dawntained_client.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
183
Read events
182
Write events
1
Delete events
0

Modification events

(PID) Process:(3576) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
1
Suspicious files
14
Text files
100
Unknown types
4

Dropped files

PID
Process
Filename
Type
3576javaw.exeC:\Users\admin\AppData\Local\Temp\imageio878103759220430694.tmp
MD5:
SHA256:
3576javaw.exeC:\Users\admin\AppData\Local\Temp\imageio5971693380413331528.tmp
MD5:
SHA256:
3576javaw.exeC:\Users\admin\AppData\Local\Temp\jwmi.vbs
MD5:
SHA256:
3576javaw.exeC:\Users\admin\dawntained\v34\474_cache\dt\474_cache.zip
MD5:
SHA256:
3576javaw.exeC:\Users\admin\dawntained\v34\474_cache\dt\main_file_cache.dat
MD5:
SHA256:
3576javaw.exeC:\Users\admin\AppData\Local\Temp\imageio7702023675221319640.tmp
MD5:
SHA256:
3576javaw.exeC:\Users\admin\jagex_cll_oldschool_LIVE.datbinary
MD5:
SHA256:
3576javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
3576javaw.exeC:\Users\admin\dawntained_local\update.jsontext
MD5:
SHA256:
3576javaw.exeC:\Users\admin\dawntained\v34\474_cache\dt\main_file_cache.idx2binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3576
javaw.exe
GET
200
94.23.249.25:80
http://www.dawntained.com/game/data.txt
FR
text
494 b
suspicious
3576
javaw.exe
GET
200
94.23.249.25:80
http://www.dawntained.com/game/data.txt
FR
text
494 b
suspicious
3576
javaw.exe
GET
200
52.6.79.229:80
http://checkip.amazonaws.com/
US
text
14 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3576
javaw.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
3576
javaw.exe
52.6.79.229:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
3576
javaw.exe
94.23.249.25:80
www.dawntained.com
OVH SAS
FR
suspicious
3576
javaw.exe
94.23.218.44:443
webservice.dawntained.com
OVH SAS
FR
unknown
3576
javaw.exe
162.125.66.6:443
ucf8d95794b5aae85bad150364d5.dl.dropboxusercontent.com
Dropbox, Inc.
DE
shared
3576
javaw.exe
54.36.126.177:43595
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
www.dawntained.com
  • 94.23.249.25
suspicious
checkip.amazonaws.com
  • 52.6.79.229
  • 52.206.161.133
  • 18.211.215.84
malicious
www.dropbox.com
  • 162.125.66.1
shared
ucf8d95794b5aae85bad150364d5.dl.dropboxusercontent.com
  • 162.125.66.6
malicious
uc69e33c235a876b28d863ab2b7c.dl.dropboxusercontent.com
  • 162.125.66.6
malicious
webservice.dawntained.com
  • 94.23.218.44
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dawntained_client.jar