| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.002 |
File Transfer Protocols |
JPIN can communicate over FTP. |
| enterprise |
T1071.003 |
Mail Protocols |
JPIN can send email over SMTP. |
| enterprise |
T1197 |
BITS Jobs |
A JPIN variant downloads the backdoor payload via the BITS service. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
JPIN can use the command-line utility cacls.exe to change file permissions. |
| enterprise |
T1083 |
File and Directory Discovery |
JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe. |
| enterprise |
T1222 |
File and Directory Permissions Modification |
- |
| enterprise |
T1222.001 |
Windows File and Directory Permissions Modification |
JPIN can use the command-line utility cacls.exe to change file permissions. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
JPIN can lower security settings by changing Registry keys. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
JPIN‘s installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running. |
| enterprise |
T1105 |
Ingress Tool Transfer |
JPIN can download files and upgrade itself. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
JPIN contains a custom keylogger. |
| enterprise |
T1027 |
Obfuscated Files or Information |
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer. |
| enterprise |
T1069 |
Permission Groups Discovery |
- |
| enterprise |
T1069.001 |
Local Groups |
JPIN can obtain the permissions of the victim user. |
| enterprise |
T1057 |
Process Discovery |
JPIN can list running processes. |
| enterprise |
T1055 |
Process Injection |
JPIN can inject content into lsass.exe to load a module. |
| enterprise |
T1012 |
Query Registry |
JPIN can enumerate Registry keys. |
| enterprise |
T1518 |
Software Discovery |
- |
| enterprise |
T1518.001 |
Security Software Discovery |
JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them. |
| enterprise |
T1082 |
System Information Discovery |
JPIN can obtain system information such as OS version and disk space. |
| enterprise |
T1016 |
System Network Configuration Discovery |
JPIN can obtain network information, including DNS, IP, and proxies. |
| enterprise |
T1033 |
System Owner/User Discovery |
JPIN can obtain the victim user name. |
| enterprise |
T1007 |
System Service Discovery |
JPIN can list running services. |