jRAT

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[1] [2]

ID: S0283
Associated Software: JSocket, AlienSpy, Frutas, Sockrat, Unrecom, jFrutas, Adwind, jBiFrost, Trojan.Maljava
Type: MALWARE
Platforms: Linux, Windows, macOS, Android
Version: 2.0

Associated Software Descriptions

Name Description
JSocket [1]
AlienSpy [1]
Frutas [1]
Sockrat [1]
Unrecom [1]
jFrutas [1]
Adwind [1]
jBiFrost [4]
Trojan.Maljava [2]

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

jRAT can capture microphone recordings.[1]

Enterprise T1115 Clipboard Data

jRAT can capture clipboard data.[1]

Enterprise T1059 Command-Line Interface

jRAT has command line access.[1]

Enterprise T1090 Connection Proxy

jRAT can serve as a SOCKS proxy server.[1]

Enterprise T1503 Credentials from Web Browsers

jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[1]

Enterprise T1081 Credentials in Files

jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[1]

Enterprise T1083 File and Directory Discovery

jRAT can browse file systems.[1][3]

Enterprise T1107 File Deletion

jRAT has a function to delete files from the victim’s machine.[2]

Enterprise T1056 Input Capture

jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1]

Enterprise T1027 Obfuscated Files or Information

jRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[2][3]

Enterprise T1120 Peripheral Device Discovery

jRAT can map UPnP ports.[1]

Enterprise T1145 Private Keys

jRAT can steal keys for VPNs and cryptocurrency wallets.[1]

Enterprise T1057 Process Discovery

jRAT can query and kill system processes.[3]

Enterprise T1076 Remote Desktop Protocol

jRAT can support RDP control.[1]

Enterprise T1105 Remote File Copy

jRAT can download and execute files.[2][1][3]

Enterprise T1029 Scheduled Transfer

jRAT can be configured to reconnect at certain intervals.[1]

Enterprise T1113 Screen Capture

jRAT has the capability to take screenshots of the victim’s machine.[2][1]

Enterprise T1064 Scripting

jRAT has been distributed as HTA files with VBScript+JScript.[1]

Enterprise T1063 Security Software Discovery

jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1]

Enterprise T1045 Software Packing

jRAT payloads have been packed.[1]

Enterprise T1165 Startup Items

jRAT can list and manage startup entries.[1]

Enterprise T1082 System Information Discovery

jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[3]

Enterprise T1016 System Network Configuration Discovery

jRAT can gather victim internal and external IPs.[1]

Enterprise T1049 System Network Connections Discovery

jRAT can list network connections.[1]

Enterprise T1007 System Service Discovery

jRAT can list local services.[1]

Enterprise T1125 Video Capture

jRAT has the capability to capture video from a webcam.[2][1]

Enterprise T1047 Windows Management Instrumentation

jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2]

References