JPIN

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [1]

ID: S0201
Type: MALWARE
Platforms: Windows
Contributors: Ryan Becwar
Version: 1.1
Created: 18 April 2018
Last Modified: 11 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

JPIN can communicate over FTP.[1]

.003 Application Layer Protocol: Mail Protocols

JPIN can send email over SMTP.[1]

Enterprise T1197 BITS Jobs

A JPIN variant downloads the backdoor payload via the BITS service.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

JPIN can use the command-line utility cacls.exe to change file permissions.[1]

Enterprise T1083 File and Directory Discovery

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[1]

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

JPIN can use the command-line utility cacls.exe to change file permissions.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

JPIN can lower security settings by changing Registry keys.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[1]

Enterprise T1105 Ingress Tool Transfer

JPIN can download files and upgrade itself.[1]

Enterprise T1056 .001 Input Capture: Keylogging

JPIN contains a custom keylogger.[1]

Enterprise T1027 Obfuscated Files or Information

A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[1]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

JPIN can obtain the permissions of the victim user.[1]

Enterprise T1057 Process Discovery

JPIN can list running processes.[1]

Enterprise T1055 Process Injection

JPIN can inject content into lsass.exe to load a module.[1]

Enterprise T1012 Query Registry

JPIN can enumerate Registry keys.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[1]

Enterprise T1082 System Information Discovery

JPIN can obtain system information such as OS version and disk space.[1]

Enterprise T1016 System Network Configuration Discovery

JPIN can obtain network information, including DNS, IP, and proxies.[1]

Enterprise T1033 System Owner/User Discovery

JPIN can obtain the victim user name.[1]

Enterprise T1007 System Service Discovery

JPIN can list running services.[1]

Groups That Use This Software

ID Name References
G0068 PLATINUM

[1]

References