S0283 jRAT
jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.1 2
| Item | Value |
|---|---|
| ID | S0283 |
| Associated Names | JSocket, AlienSpy, Frutas, Sockrat, Unrecom, jFrutas, Adwind, jBiFrost, Trojan.Maljava |
| Type | MALWARE |
| Version | 2.1 |
| Created | 17 October 2018 |
| Last Modified | 25 January 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| JSocket | 1 |
| AlienSpy | 1 |
| Frutas | 1 |
| Sockrat | 1 |
| Unrecom | 1 |
| jFrutas | 1 |
| Adwind | 1 |
| jBiFrost | 3 |
| Trojan.Maljava | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | jRAT can capture microphone recordings.1 |
| enterprise | T1037 | Boot or Logon Initialization Scripts | - |
| enterprise | T1037.005 | Startup Items | jRAT can list and manage startup entries.1 |
| enterprise | T1115 | Clipboard Data | jRAT can capture clipboard data.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | jRAT has command line access.1 |
| enterprise | T1059.005 | Visual Basic | jRAT has been distributed as HTA files with VBScript.1 |
| enterprise | T1059.007 | JavaScript | jRAT has been distributed as HTA files with JScript.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.1 |
| enterprise | T1083 | File and Directory Discovery | jRAT can browse file systems.14 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | jRAT has a function to delete files from the victim’s machine.2 |
| enterprise | T1105 | Ingress Tool Transfer | jRAT can download and execute files.214 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.21 |
| enterprise | T1027 | Obfuscated Files or Information | jRAT’s Java payload is encrypted with AES.2 Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.4 |
| enterprise | T1027.002 | Software Packing | jRAT payloads have been packed.1 |
| enterprise | T1120 | Peripheral Device Discovery | jRAT can map UPnP ports.1 |
| enterprise | T1057 | Process Discovery | jRAT can query and kill system processes.4 |
| enterprise | T1090 | Proxy | jRAT can serve as a SOCKS proxy server.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | jRAT can support RDP control.1 |
| enterprise | T1029 | Scheduled Transfer | jRAT can be configured to reconnect at certain intervals.1 |
| enterprise | T1113 | Screen Capture | jRAT has the capability to take screenshots of the victim’s machine.21 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.21 |
| enterprise | T1082 | System Information Discovery | jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.4 |
| enterprise | T1016 | System Network Configuration Discovery | jRAT can gather victim internal and external IPs.1 |
| enterprise | T1049 | System Network Connections Discovery | jRAT can list network connections.1 |
| enterprise | T1007 | System Service Discovery | jRAT can list local services.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.1 |
| enterprise | T1552.004 | Private Keys | jRAT can steal keys for VPNs and cryptocurrency wallets.1 |
| enterprise | T1125 | Video Capture | jRAT has the capability to capture video from a webcam.21 |
| enterprise | T1047 | Windows Management Instrumentation | jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.2 |
References
-
Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. ↩↩↩↩↩↩↩↩↩↩
-
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. ↩
-
Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. ↩↩↩↩↩