jRAT
jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[1] [2]
Associated Software Descriptions
Name | Description |
---|---|
JSocket | |
AlienSpy | |
Frutas | |
Sockrat | |
Unrecom | |
jFrutas | |
Adwind | |
jBiFrost | |
Trojan.Maljava |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1123 | Audio Capture | ||
Enterprise | T1037 | .005 | Boot or Logon Initialization Scripts: Startup Items | |
Enterprise | T1115 | Clipboard Data | ||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
.007 | Command and Scripting Interpreter: JavaScript/JScript | |||
.005 | Command and Scripting Interpreter: Visual Basic | |||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[1] |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
jRAT has a function to delete files from the victim’s machine.[2] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1] |
Enterprise | T1027 | Obfuscated Files or Information |
jRAT’s Java payload is encrypted with AES.[2] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[4] |
|
.002 | Software Packing | |||
Enterprise | T1120 | Peripheral Device Discovery | ||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1090 | Proxy | ||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
Enterprise | T1029 | Scheduled Transfer |
jRAT can be configured to reconnect at certain intervals.[1] |
|
Enterprise | T1113 | Screen Capture |
jRAT has the capability to take screenshots of the victim’s machine.[2][1] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1] |
Enterprise | T1082 | System Information Discovery |
jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[4] |
|
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1049 | System Network Connections Discovery | ||
Enterprise | T1007 | System Service Discovery | ||
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys | |
.001 | Unsecured Credentials: Credentials In Files |
jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[1] |
||
Enterprise | T1125 | Video Capture |
jRAT has the capability to capture video from a webcam.[2][1] |
|
Enterprise | T1047 | Windows Management Instrumentation |
jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2] |
References
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.