jRAT
Associated Software Descriptions
| Name | Description |
|---|---|
| JSocket | |
| AlienSpy | |
| Frutas | |
| Sockrat | |
| Unrecom | |
| jFrutas | |
| Adwind | |
| jBiFrost | |
| Trojan.Maljava |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2] |
|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[1] |
| Enterprise | T1090 | 代理 | ||
| Enterprise | T1115 | 剪贴板数据 | ||
| Enterprise | T1037 | .005 | 启动或登录初始化脚本: Startup Items | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic | |||
| .007 | 命令与脚本解释器: JavaScript | |||
| Enterprise | T1120 | 外围设备发现 | ||
| Enterprise | T1113 | 屏幕捕获 |
jRAT has the capability to take screenshots of the victim’s machine.[2][1] |
|
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[1] |
| .004 | 未加密凭证: Private Keys | |||
| Enterprise | T1027 | 混淆文件或信息 |
jRAT’s Java payload is encrypted with AES.[2] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[4] |
|
| .002 | Software Packing | |||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
jRAT has a function to delete files from the victim’s machine.[2] |
| Enterprise | T1082 | 系统信息发现 |
jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[4] |
|
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1049 | 系统网络连接发现 | ||
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1125 | 视频捕获 |
jRAT has the capability to capture video from a webcam.[2][1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1] |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol | |
| Enterprise | T1123 | 音频捕获 | ||
| Enterprise | T1029 | 预定传输 |
jRAT can be configured to reconnect at certain intervals.[1] |
|
Groups That Use This Software
References
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.