jRAT

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[1] [2]

ID: S0283
Associated Software: JSocket, AlienSpy, Frutas, Sockrat, Unrecom, jFrutas, Adwind, jBiFrost, Trojan.Maljava

Type: MALWARE
Platforms: Linux, Windows, macOS, Android

Version: 2.0

Associated Software Descriptions

NameDescription
JSocket[1]
AlienSpy[1]
Frutas[1]
Sockrat[1]
Unrecom[1]
jFrutas[1]
Adwind[1]
jBiFrost[4]
Trojan.Maljava[2]

Techniques Used

DomainIDNameUse
EnterpriseT1123Audio CapturejRAT can capture microphone recordings.[1]
EnterpriseT1115Clipboard DatajRAT can capture clipboard data.[1]
EnterpriseT1059Command-Line InterfacejRAT has command line access.[1]
EnterpriseT1090Connection ProxyjRAT can serve as a SOCKS proxy server.[1]
EnterpriseT1081Credentials in FilesjRAT can capture passwords from various browsers and applications.[1]
EnterpriseT1083File and Directory DiscoveryjRAT can browse file systems.[1][3]
EnterpriseT1107File DeletionjRAT has a function to delete files from the victim’s machine.[2]
EnterpriseT1056Input CapturejRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1]
EnterpriseT1027Obfuscated Files or InformationjRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[2][3]
EnterpriseT1120Peripheral Device DiscoveryjRAT can map UPnP ports.[1]
EnterpriseT1145Private KeysjRAT can steal keys for VPNs and cryptocurrency wallets.[1]
EnterpriseT1057Process DiscoveryjRAT can query and kill system processes.[3]
EnterpriseT1076Remote Desktop ProtocoljRAT can support RDP control.[1]
EnterpriseT1105Remote File CopyjRAT can download and execute files.[2][1][3]
EnterpriseT1029Scheduled TransferjRAT can be configured to reconnect at certain intervals.[1]
EnterpriseT1113Screen CapturejRAT has the capability to take screenshots of the victim’s machine.[2][1]
EnterpriseT1064ScriptingjRAT has been distributed as HTA files with VBScript+JScript.[1]
EnterpriseT1063Security Software DiscoveryjRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1]
EnterpriseT1045Software PackingjRAT payloads have been packed.[1]
EnterpriseT1165Startup ItemsjRAT can list and manage startup entries.[1]
EnterpriseT1082System Information DiscoveryjRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[3]
EnterpriseT1016System Network Configuration DiscoveryjRAT can gather victim internal and external IPs.[1]
EnterpriseT1049System Network Connections DiscoveryjRAT can list network connections.[1]
EnterpriseT1007System Service DiscoveryjRAT can list local services.[1]
EnterpriseT1125Video CapturejRAT has the capability to capture video from a webcam.[2][1]
EnterpriseT1047Windows Management InstrumentationjRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2]

References