Register to stream ATT&CKcon 2.0 October 29-30

JPIN

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [1]

ID: S0201
Type: MALWARE
Platforms: Windows
Contributors: Ryan Becwar
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs A JPIN variant downloads the backdoor payload via the BITS service. [1]
Enterprise T1059 Command-Line Interface JPIN can use the command-line utility cacls.exe to change file permissions. [1]
Enterprise T1089 Disabling Security Tools JPIN lower disable security settings by changing Registry keys. [1]
Enterprise T1083 File and Directory Discovery JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe. [1]
Enterprise T1107 File Deletion JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running. [1]
Enterprise T1222 File Permissions Modification JPIN can use the command-line utility cacls.exe to change file permissions. [1]
Enterprise T1056 Input Capture JPIN contains a custom keylogger. [1]
Enterprise T1027 Obfuscated Files or Information A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer. [1]
Enterprise T1069 Permission Groups Discovery JPIN can obtain the victim user name. [1]
Enterprise T1057 Process Discovery JPIN can list running processes. [1]
Enterprise T1055 Process Injection JPIN can inject content into lsass.exe to load a module. [1]
Enterprise T1012 Query Registry JPIN can enumerate Registry keys. [1]
Enterprise T1105 Remote File Copy JPIN can download files and upgrade itself. [1]
Enterprise T1063 Security Software Discovery JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them. [1]
Enterprise T1071 Standard Application Layer Protocol JPIN can communicate over FTP and send email over SMTP. [1]
Enterprise T1082 System Information Discovery JPIN can obtain system information such as OS version and disk space. [1]
Enterprise T1016 System Network Configuration Discovery JPIN can obtain network information, including DNS, IP, and proxies. [1]
Enterprise T1033 System Owner/User Discovery JPIN can obtain the victim user name. [1]
Enterprise T1007 System Service Discovery JPIN can list running services. [1]

Groups That Use This Software

ID Name References
G0068 PLATINUM [1]

References