Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols | |
.003 | Application Layer Protocol: Mail Protocols | |||
Enterprise | T1197 | BITS Jobs |
A JPIN variant downloads the backdoor payload via the BITS service.[1] |
|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
JPIN can use the command-line utility cacls.exe to change file permissions.[1] |
Enterprise | T1083 | File and Directory Discovery |
JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[1] |
|
Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
JPIN can use the command-line utility cacls.exe to change file permissions.[1] |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
JPIN can lower security settings by changing Registry keys.[1] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[1] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1027 | Obfuscated Files or Information |
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[1] |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups | |
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | Process Injection | ||
Enterprise | T1012 | Query Registry | ||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[1] |
Enterprise | T1082 | System Information Discovery |
JPIN can obtain system information such as OS version and disk space.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
JPIN can obtain network information, including DNS, IP, and proxies.[1] |
|
Enterprise | T1033 | System Owner/User Discovery | ||
Enterprise | T1007 | System Service Discovery |