Skip to content

S0283 jRAT

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.1 2

Item Value
ID S0283
Associated Names JSocket, AlienSpy, Frutas, Sockrat, Unrecom, jFrutas, Adwind, jBiFrost, Trojan.Maljava
Version 2.1
Created 17 October 2018
Last Modified 25 January 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
JSocket 1
AlienSpy 1
Frutas 1
Sockrat 1
Unrecom 1
jFrutas 1
Adwind 1
jBiFrost 3
Trojan.Maljava 2

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture jRAT can capture microphone recordings.1
enterprise T1037 Boot or Logon Initialization Scripts -
enterprise T1037.005 Startup Items jRAT can list and manage startup entries.1
enterprise T1115 Clipboard Data jRAT can capture clipboard data.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell jRAT has command line access.1
enterprise T1059.005 Visual Basic jRAT has been distributed as HTA files with VBScript.1
enterprise T1059.007 JavaScript jRAT has been distributed as HTA files with JScript.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.1
enterprise T1083 File and Directory Discovery jRAT can browse file systems.14
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion jRAT has a function to delete files from the victim’s machine.2
enterprise T1105 Ingress Tool Transfer jRAT can download and execute files.214
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.21
enterprise T1027 Obfuscated Files or Information jRAT’s Java payload is encrypted with AES.2 Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.4
enterprise T1027.002 Software Packing jRAT payloads have been packed.1
enterprise T1120 Peripheral Device Discovery jRAT can map UPnP ports.1
enterprise T1057 Process Discovery jRAT can query and kill system processes.4
enterprise T1090 Proxy jRAT can serve as a SOCKS proxy server.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol jRAT can support RDP control.1
enterprise T1029 Scheduled Transfer jRAT can be configured to reconnect at certain intervals.1
enterprise T1113 Screen Capture jRAT has the capability to take screenshots of the victim’s machine.21
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.21
enterprise T1082 System Information Discovery jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.4
enterprise T1016 System Network Configuration Discovery jRAT can gather victim internal and external IPs.1
enterprise T1049 System Network Connections Discovery jRAT can list network connections.1
enterprise T1007 System Service Discovery jRAT can list local services.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.1
enterprise T1552.004 Private Keys jRAT can steal keys for VPNs and cryptocurrency wallets.1
enterprise T1125 Video Capture jRAT has the capability to capture video from a webcam.21
enterprise T1047 Windows Management Instrumentation jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.2