{"description": "Enterprise techniques used by jRAT, ATT&CK software S0283 (v2.2)", "name": "jRAT (S0283)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1123", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can capture microphone recordings.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1037", "showSubtechniques": true}, {"techniqueID": "T1037.005", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can list and manage startup entries.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can capture clipboard data.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has command line access.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has been distributed as HTA files with VBScript.(Citation: Kaspersky Adwind Feb 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has been distributed as HTA files with JScript.(Citation: Kaspersky Adwind Feb 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can browse file systems.(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has a function to delete files from the victim\u2019s machine.(Citation: jRAT Symantec Aug 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can download and execute files.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has the capability to log keystrokes from the victim\u2019s machine, both offline and online.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[jRAT](https://attack.mitre.org/software/S0283)\u2019s Java payload is encrypted with AES.(Citation: jRAT Symantec Aug 2018) Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of [jRAT](https://attack.mitre.org/software/S0283) also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.(Citation: Symantec Frutas Feb 2013)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[jRAT](https://attack.mitre.org/software/S0283) payloads have been packed.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can map UPnP ports.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can query and kill system processes.(Citation: Symantec Frutas Feb 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can serve as a SOCKS proxy server.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can support RDP control.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can be configured to reconnect at certain intervals.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has the capability to take screenshots of the victim\u2019s machine.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can list security software, such as by using WMIC to identify anti-virus products installed on the victim\u2019s machine and to obtain firewall details.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[jRAT](https://attack.mitre.org/software/S0283) collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.(Citation: Symantec Frutas Feb 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can gather victim internal and external IPs.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can list network connections.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can list local services.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[jRAT](https://attack.mitre.org/software/S0283) can steal keys for VPNs and cryptocurrency wallets.(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[jRAT](https://attack.mitre.org/software/S0283) has the capability to capture video from a webcam.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[jRAT](https://attack.mitre.org/software/S0283) uses WMIC to identify anti-virus products installed on the victim\u2019s machine and to obtain firewall details.(Citation: jRAT Symantec Aug 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by jRAT", "color": "#66b1ff"}]}