Name | Description |
---|---|
JSocket | |
AlienSpy | |
Frutas | |
Sockrat | |
Unrecom | |
jFrutas | |
Adwind | |
jBiFrost | |
Trojan.Maljava |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1123 | Audio Capture | ||
Enterprise | T1037 | .005 | Boot or Logon Initialization Scripts: Startup Items | |
Enterprise | T1115 | Clipboard Data | ||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
.005 | Command and Scripting Interpreter: Visual Basic | |||
.007 | Command and Scripting Interpreter: JavaScript | |||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[1] |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
jRAT has a function to delete files from the victim’s machine.[2] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.[2][1] |
Enterprise | T1027 | Obfuscated Files or Information |
jRAT’s Java payload is encrypted with AES.[2] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[4] |
|
.002 | Software Packing | |||
Enterprise | T1120 | Peripheral Device Discovery | ||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1090 | Proxy | ||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
Enterprise | T1029 | Scheduled Transfer |
jRAT can be configured to reconnect at certain intervals.[1] |
|
Enterprise | T1113 | Screen Capture |
jRAT has the capability to take screenshots of the victim’s machine.[2][1] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2][1] |
Enterprise | T1082 | System Information Discovery |
jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[4] |
|
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1049 | System Network Connections Discovery | ||
Enterprise | T1007 | System Service Discovery | ||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.[1] |
.004 | Unsecured Credentials: Private Keys | |||
Enterprise | T1125 | Video Capture |
jRAT has the capability to capture video from a webcam.[2][1] |
|
Enterprise | T1047 | Windows Management Instrumentation |
jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[2] |