JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [1]

ID: S0201
Contributors: Ryan Becwar

Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1197BITS JobsA JPIN variant downloads the backdoor payload via the BITS service.[1]
EnterpriseT1059Command-Line InterfaceJPIN can use the command-line utility cacls.exe to change file permissions.[1]
EnterpriseT1089Disabling Security ToolsJPIN lower disable security settings by changing Registry keys.[1]
EnterpriseT1083File and Directory DiscoveryJPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[1]
EnterpriseT1107File DeletionJPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[1]
EnterpriseT1222File Permissions ModificationJPIN can use the command-line utility cacls.exe to change file permissions.[1]
EnterpriseT1056Input CaptureJPIN contains a custom keylogger.[1]
EnterpriseT1027Obfuscated Files or InformationA JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[1]
EnterpriseT1069Permission Groups DiscoveryJPIN can obtain the victim user name.[1]
EnterpriseT1057Process DiscoveryJPIN can list running processes.[1]
EnterpriseT1055Process InjectionJPIN can inject content into lsass.exe to load a module.[1]
EnterpriseT1012Query RegistryJPIN can enumerate Registry keys.[1]
EnterpriseT1105Remote File CopyJPIN can download files and upgrade itself.[1]
EnterpriseT1063Security Software DiscoveryJPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[1]
EnterpriseT1071Standard Application Layer ProtocolJPIN can communicate over FTP and send email over SMTP.[1]
EnterpriseT1082System Information DiscoveryJPIN can obtain system information such as OS version and disk space.[1]
EnterpriseT1016System Network Configuration DiscoveryJPIN can obtain network information, including DNS, IP, and proxies.[1]
EnterpriseT1033System Owner/User DiscoveryJPIN can obtain the victim user name.[1]
EnterpriseT1007System Service DiscoveryJPIN can list running services.[1]


Groups that use this software: