Uncategorized

A technical analysis of the java RAT (Remote Access Trojan) Malware

Remote accesses Trojan are programs that allow attackers to gain unauthorized access to targeted computer without the victim’s knowledge. Java RAT malware is a Trojan- dropper written in java. It is designed to steal passwords, access files, for key logging and for the screen capture. Information collected by a RAT is forwarded to a remote server controlled by attacker.

Method of distribution

A java RAT, aware arrives via spam emails that contain malicious attachments.

 

How Java RAT gets into a system

Once a JAR file executed, it drops a copy of itself onto the below path with the name ’LyOCtxhwRyz.yrDUql’

Path: %userprofile%\ YzQqKjGoxHz (Hidden Folder)

For example, C:\Users\Public\YzQqKjGoxHz

 

The malware drops the following files:

C:\Users\Public\YzQqKjGoxHz\ID.txt

C:\Users\Public\AppData\Local\Temp\OlfYXmVqfL9024669788070560515.reg

%temp%\Retrive2638932198378221530.vbs

%temp%/\ _0.354484486304158635925511204328476438.class

%Application Data%\Oracle\ (Contains copy of files from java installation folder)

It creates the following folders:

C:\Users\Public\YzQqKjGoxHz (Contains copy of actual malware i.e. JAR file)

C:\Users\Public\fUTkALeaTxM

The below registry entry dropped by the malware is used to launch itself every time the system boots and download the executable file to infect the system.

 

The malware adds the below registry entries to disable security solutions and different analysis tools.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]

“debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]

“debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE]

“debugger”=”svchost.exe”

Quick Heal Detection

Quick Heal real-time protection detects the JAR file and its component as ‘Trojan.JAVA.Agent.JRAT’ and ‘Trojan.JAVA.Agent.JJ’

 

Security measures to stay away from java RAT

  1. Don’t click on unwanted an unexpected links that arrives in the emails
  2. Update your computer as the security updates recommends for your operating system and other programs like adobe, java, internet browsers or others.
  3.  Just use the antivirus softwares that will keep your system free from the unwanted attacks of unwanted viruses like malware and others. And keep your antivirus software update time to time for the better work.
  4. Backup is important so take the regular backup of your data.
  5. Aware from unauthorized antivirus softwares because some time these unauthorized softwares are the, main cause of spreading the malware etc.

Leave a Reply

Your email address will not be published. Required fields are marked *