• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Security  /  A technical analysis of the Java RAT (Remote Access Trojan) Malware
17 July 2017

A technical analysis of the Java RAT (Remote Access Trojan) Malware

Written by Rajib Singha
Rajib Singha
Security
Estimated reading time: 3 minutes

Remote Access Trojans are programs that allow attackers to gain unauthorized access to a targeted computer without the victim’s knowledge. Java RAT malware is a Trojan-Dropper written in Java. It is designed to steal passwords, access files, for keylogging (recording what the user types on the keyboard) and for screen-capture. Information collected by a RAT is forwarded to a remote server controlled by the attacker.

Distribution Method
A Java RAT malware arrives via spam emails that contain malicious attachments (fig 1).

java-rat1
Fig 1

How Java RAT gets into a system

Once a JAR file is executed, it drops a copy of itself onto the below path with the name ‘LyOCtxhwRyz.yrDUql’

Path: %userprofile%\ YzQqKjGoxHz(Hidden Folder)

For example,  C:\Users\Public\YzQqKjGoxHz

Fig 2
Fig 2

The malware drops the following files:

C:\Users\Public\YzQqKjGoxHz\ID.txt

C:\Users\Public\AppData\Local\Temp\OlfYXmVqfL9024669788070560515.reg

%temp%\Retrive2638932198378221530.vbs

%temp%/\ _0.354484486304158635925511204328476438.class

%Application Data%\Oracle\ (Contains copy of files from java installation folder)

It creates the following folders:

C:\Users\Public\YzQqKjGoxHz (Contains copy of actual malware i.e JAR file)

C:\Users\Public\fUTkALeaTxM

The below registry entry dropped by the malware is used to launch itself every time the system boots and download the executable file to infect the system.

Fig 3
Fig 3

The malware adds the below registry entries to disable security solutions and different analysis tools.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]

“debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]

“debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE]

“debugger”=”svchost.exe”

Seqrite Detection

Seqrite’s real-time protection detects the JAR file and its component as ‘Trojan.JAVA.Agent.JRAT’ and ‘Trojan.JAVA.Agent.JJ’

java-rat6
Fig 4

Security measures to stay away from Java RAT

  1. Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources.
  2. Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet browsers, etc.
  3. Use an antivirus software that gives layers of protection against infected emails and malicious websites. Keep the software up-to-date.
  4. Take regular backups of your important data.
  5. Free software, especially those with unverified publishers are usually used by attackers to spread malware. Always go for genuine and licensed software.

ACKNOWLEDGMENT

Subject Matter Expert

  • Anita Ladkat | Quick Heal Security Labs

 Previous PostSecurity Vs. SaaS: Difficulties with SMBs
Next Post  Cybersecurity challenges: How do retailers protect their business...
Rajib Singha
About Rajib Singha

Rajib is an IT security news junkie and a computer security blogger at Quick Heal. He is passionate about promoting cybersecurity awareness, content and digital...

Articles by Rajib Singha »

Related Posts

  • Is your Router exposed to cyber threats

    Is your router exposed to cyber threats? Here is how to safeguard it.

    July 30, 2020
  • Snake ransomware stings to spread its venom in the veins of enterprise networks.

    Snake Ransomware brings impending doom to enterprise networks

    July 10, 2020
  • APT harbingers are using Honey Traps to attack Indian Defence.

    Operation ‘Honey Trap’: APT36 Targets Defence Organizations in India

    July 8, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • Are we prepared against risks generating from the IoT revolution? Are we prepared against risks generating from the IoT revolution? January 15, 2021
  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.