{
	"id": "590c7a89-d98e-45ab-9f3c-0ed4754857cc",
	"created_at": "2026-04-06T03:36:43.768568Z",
	"updated_at": "2026-04-10T13:12:06.698304Z",
	"deleted_at": null,
	"sha1_hash": "049a8e4a57e5eeffb00ff107cd7a6992a15282e5",
	"title": "Revamped jRAT Uses New Anti-Parsing Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57789,
	"plain_text": "Revamped jRAT Uses New Anti-Parsing Techniques\r\nBy About the Author\r\nArchived: 2026-04-06 02:11:22 UTC\r\nWe have recently observed a newer version of the cross-platform jRAT (Trojan.Maljava) remote access Trojan\r\n(RAT) in the wild. This version uses new techniques to evade parsing and detection, as well as to prevent itself\r\nfrom being reverse-engineered, by prepending corrupt MZ files before the malicious JAR file.\r\nWe first spotted this version of jRAT in early November 2017. In April 2018, we noticed its number increased\r\nmore than 300 percent to 1,071 from 333 in March. There could be two reasons why we have not seen huge hits\r\nfor this version: 1) It wants to remain stealthy and difficult to detect, and used only for targeted attacks; and 2) It\r\nmay not be widely adopted yet among attackers. While the volumes of these attacks are on the lower side, this\r\njRAT has shown that it is quite capable and can go undetected with minimum presence and anti-parsing methods.\r\nThe malware mainly targets the financial sector, but we’ve also seen infections in the service, communications,\r\nhospitality, government, and energy sectors.\r\nThe malware mainly targets the financial sector, but we’ve also seen infections in the service,\r\ncommunications, hospitality, governments, and energy sectors.\r\nFinance-themed spam emails\r\nThe infection chain begins with spam emails, which are specially crafted using social engineering techniques to\r\nentice victims into opening the attachment. We’ve seen several themes for emails distributing this version of jRAT,\r\nincluding:\r\nProof of payment\r\nTransfer Details Confirmation\r\nTransfer Error\r\nInvoice\r\nAdvance payment Transfer slip and bank account details\r\nPayment Advice\r\nWire instruction\r\nCredit Advice\r\nMonthly Report format\r\nFigure 1. Sample of finance-themed spam email\r\nFigure 1. Sample of finance-themed spam email\r\nThe emails contain a JAR file attachment. This file comes with a surprise MZ header, as well as two corrupt MZ\r\nfiles prepended before the JAR file.\r\nhttps://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques\r\nPage 1 of 3\n\nFigure 2. The JAR file attachment comes with a surprise MZ header and two corrupt MZ files\r\nprepended\r\nFigure 2. The JAR file attachment comes with a surprise MZ header and two corrupt MZ files\r\nprepended\r\nThis thwarts not only MZ parsers, but Java parsers as well. These files do not contain \\x00 bytes, which indicates\r\nthe intent. The MZ files cannot be parsed due to a broken PE structure; the files appear to be full MZ but\r\napparently are used only for evading parsers. This may be considered a defense layer to protect the JAR file from\r\nbeing reverse-engineered. Surprisingly, Java is still able to load and execute this JAR file as weaker zip parsing\r\nimplementations rely on end of central directory record and parses the content to locate and execute main class.\r\nFigure 3. Corrupt MZ file with 0x00 bytes replaced with 0x20\r\nFigure 3. Corrupt MZ file with 0x00 bytes replaced with 0x20\r\nThis file can be recognized as jRAT by looking at the class names.\r\nFigure 4. The wrapper JAR structure\r\nFigure 4. The wrapper JAR structure\r\nThe wrapper JAR file drops a secondary JAR file and copies it to a %Temp% location. The payload JAR file can\r\nbe extracted using AES decryption. The first 16 bytes in the file “k” seen in Figure 4 contains the key and the file\r\n“e” is the encrypted Java payload.\r\nThe JAR runs every time Windows starts, and starts executing and connecting to its command and control (C\u0026C)\r\nserver at 84.[REMOVED].132.145. It uses a WMIC interface to identify antivirus products installed on the\r\ncompromised computer and firewall details.\r\nwmic /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get /format:list\r\nThe configuration file and key file are visible, but the former is AES-encrypted. The JAR file contains various\r\nclasses for platform-specific implementations for capturing screenshots, playing audio, downloading and\r\nexecuting files, I/O to and from files, logging keystrokes, among others.\r\nFigure 5. jRAT's configuration file, config.dat, can be decrypted using the AES key in key.dat\r\nFigure 5. jRAT's configuration file, config.dat, can be decrypted using the AES key in key.dat\r\nCapabilities and target platforms\r\nThis new version of jRAT has the following capabilities:\r\nLog keystrokes\r\nTake screenshots\r\nPlay an audio message\r\nAccess the webcam\r\nAccess the file system to read, write, or delete files\r\nDownload and execute files\r\nhttps://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques\r\nPage 2 of 3\n\nWith these capabilities, the malware can violate victims’ privacy and capture and exfiltrate confidential\r\ninformation from target organizations.\r\nIt’s also potentially capable of running on the following platforms: FreeBSD, OpenBSD, OSX, Solaris, Linux,\r\nWindows, and Android.\r\nFigure 6. C\u0026C addresses and configurations for alternative operating systems\r\nFigure 6. C\u0026C addresses and configurations for alternative operating systems\r\nProtection\r\nSymantec and Norton products detect this threat as the following:\r\nTrojan.Maljava\r\nSymantec Email Security.cloud technology blocks attacks such as this using advanced heuristics.\r\nMitigation\r\nSymantec advises users to be careful while opening emails about monetary transactions containing JAR\r\nattachments.\r\nEmphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point\r\nfailures in any specific technology or protection method.  This includes deployment of endpoint, email, and\r\nweb gateway protection technologies as well as firewalls and vulnerability assessment solutions.  Always\r\nkeep these security solutions up-to-date with the latest protection capabilities.   \r\nEmploy two-factor authentication (such as Symantec VIP) to provide an additional layer of security and\r\nprevent any stolen or cracked credentials from being used by attackers.\r\nEducate employees and urge them to exercise caution around emails from unfamiliar sources and around\r\nopening attachments that haven’t been solicited. \r\nRequire everyone in your organization to have long, complex passwords that are changed frequently.\r\nEncourage users to avoid reusing the same passwords on multiple websites, and sharing passwords with\r\nothers should be forbidden.\r\nRevamped jRAT Uses New Anti-Parsing Techniques\r\nRohit Sharma\r\nRohit Sharma\r\nSenior Threat Analysis Engineer\r\nSource: https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques\r\nhttps://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques"
	],
	"report_names": [
		"jrat-new-anti-parsing-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775446603,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/049a8e4a57e5eeffb00ff107cd7a6992a15282e5.pdf",
		"text": "https://archive.orkl.eu/049a8e4a57e5eeffb00ff107cd7a6992a15282e5.txt",
		"img": "https://archive.orkl.eu/049a8e4a57e5eeffb00ff107cd7a6992a15282e5.jpg"
	}
}