jRAT
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| JSocket | (Citation: Kaspersky Adwind Feb 2016) |
| AlienSpy | (Citation: Kaspersky Adwind Feb 2016) |
| Frutas | (Citation: Kaspersky Adwind Feb 2016) |
| Sockrat | (Citation: Kaspersky Adwind Feb 2016) |
| Unrecom | (Citation: Kaspersky Adwind Feb 2016) |
| jFrutas | (Citation: Kaspersky Adwind Feb 2016) |
| Adwind | (Citation: Kaspersky Adwind Feb 2016) |
| jBiFrost | (Citation: NCSC Joint Report Public Tools) |
| Trojan.Maljava | (Citation: jRAT Symantec Aug 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1037 | .005 | Boot or Logon Initialization Scripts: Startup Items |
jRAT can list and manage startup entries.(Citation: Kaspersky Adwind Feb 2016) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
jRAT has command line access.(Citation: Kaspersky Adwind Feb 2016) |
| .005 | Command and Scripting Interpreter: Visual Basic |
jRAT has been distributed as HTA files with VBScript.(Citation: Kaspersky Adwind Feb 2016) |
||
| .007 | Command and Scripting Interpreter: JavaScript |
jRAT has been distributed as HTA files with JScript.(Citation: Kaspersky Adwind Feb 2016) |
||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.(Citation: Kaspersky Adwind Feb 2016) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
jRAT has a function to delete files from the victim’s machine.(Citation: jRAT Symantec Aug 2018) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
jRAT payloads have been packed.(Citation: Kaspersky Adwind Feb 2016) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
jRAT can support RDP control.(Citation: Kaspersky Adwind Feb 2016) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.(Citation: Kaspersky Adwind Feb 2016) |
| .004 | Unsecured Credentials: Private Keys |
jRAT can steal keys for VPNs and cryptocurrency wallets.(Citation: Kaspersky Adwind Feb 2016) |
||
References
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.