JPIN

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [1]

ID: S0201
Type: MALWARE
Platforms: Windows
Contributors: Ryan Becwar
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs

A JPIN variant downloads the backdoor payload via the BITS service.[1]

Enterprise T1059 Command-Line Interface

JPIN can use the command-line utility cacls.exe to change file permissions.[1]

Enterprise T1089 Disabling Security Tools

JPIN lower disable security settings by changing Registry keys.[1]

Enterprise T1083 File and Directory Discovery

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[1]

Enterprise T1222 File and Directory Permissions Modification

JPIN can use the command-line utility cacls.exe to change file permissions.[1]

Enterprise T1107 File Deletion

JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[1]

Enterprise T1056 Input Capture

JPIN contains a custom keylogger.[1]

Enterprise T1027 Obfuscated Files or Information

A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[1]

Enterprise T1069 Permission Groups Discovery

JPIN can obtain the victim user name.[1]

Enterprise T1057 Process Discovery

JPIN can list running processes.[1]

Enterprise T1055 Process Injection

JPIN can inject content into lsass.exe to load a module.[1]

Enterprise T1012 Query Registry

JPIN can enumerate Registry keys.[1]

Enterprise T1105 Remote File Copy

JPIN can download files and upgrade itself.[1]

Enterprise T1063 Security Software Discovery

JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[1]

Enterprise T1071 Standard Application Layer Protocol

JPIN can communicate over FTP and send email over SMTP.[1]

Enterprise T1082 System Information Discovery

JPIN can obtain system information such as OS version and disk space.[1]

Enterprise T1016 System Network Configuration Discovery

JPIN can obtain network information, including DNS, IP, and proxies.[1]

Enterprise T1033 System Owner/User Discovery

JPIN can obtain the victim user name.[1]

Enterprise T1007 System Service Discovery

JPIN can list running services.[1]

Groups That Use This Software

ID Name References
G0068 PLATINUM [1]

References