The exploit is not very reliable, as it tries to overwrite a big chunk of memory. As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash. When the McRAT successfully installs in the compromised endpoint as an EXE (MD5: 4d519bf53a8217adc4c15d15f0815993), it generates the following HTTP command and control traffic:
POST /59788582 HTTP/1.0
Content-Length: 44
Accept: text/html,application/xhtml+xml,application/xml,*/*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 110.XXX.55.187
Pragma: no-cache
It should be possible to detect this using something like snort at the firewall/gateway.