jRAT

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[1] [2]

ID: S0283
Associated Software: JSocket, AlienSpy, Frutas, Sockrat, Unrecom, jFrutas, Adwind, jBiFrost, Trojan.Maljava
Type: MALWARE
Platforms: Linux, Windows, macOS, Android
Version: 2.0

Associated Software Descriptions

Name Description
JSocket [1]
AlienSpy [1]
Frutas [1]
Sockrat [1]
Unrecom [1]
jFrutas [1]
Adwind [1]
jBiFrost [4]
Trojan.Maljava [2]

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture jRAT can capture microphone recordings.[1]
Enterprise T1115 Clipboard Data jRAT can capture clipboard data.[1]
Enterprise T1059 Command-Line Interface jRAT has command line access.[1]
Enterprise T1090 Connection Proxy jRAT can serve as a SOCKS proxy server.[1]
Enterprise T1081 Credentials in Files jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[1]
Enterprise T1083 File and Directory Discovery jRAT can browse file systems.[1][3]
Enterprise T1107 File Deletion jRAT has a function to delete files from the victim’s machine.[2]
Enterprise T1056 Input Capture jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1]
Enterprise T1027 Obfuscated Files or Information jRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[2][3]
Enterprise T1120 Peripheral Device Discovery jRAT can map UPnP ports.[1]
Enterprise T1145 Private Keys jRAT can steal keys for VPNs and cryptocurrency wallets.[1]
Enterprise T1057 Process Discovery jRAT can query and kill system processes.[3]
Enterprise T1076 Remote Desktop Protocol jRAT can support RDP control.[1]
Enterprise T1105 Remote File Copy jRAT can download and execute files.[2][1][3]
Enterprise T1029 Scheduled Transfer jRAT can be configured to reconnect at certain intervals.[1]
Enterprise T1113 Screen Capture jRAT has the capability to take screenshots of the victim’s machine.[2][1]
Enterprise T1064 Scripting jRAT has been distributed as HTA files with VBScript+JScript.[1]
Enterprise T1063 Security Software Discovery jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1]
Enterprise T1045 Software Packing jRAT payloads have been packed.[1]
Enterprise T1165 Startup Items jRAT can list and manage startup entries.[1]
Enterprise T1082 System Information Discovery jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[3]
Enterprise T1016 System Network Configuration Discovery jRAT can gather victim internal and external IPs.[1]
Enterprise T1049 System Network Connections Discovery jRAT can list network connections.[1]
Enterprise T1007 System Service Discovery jRAT can list local services.[1]
Enterprise T1125 Video Capture jRAT has the capability to capture video from a webcam.[2][1]
Enterprise T1047 Windows Management Instrumentation jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2]

References