Skip to content

S0201 JPIN

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. 1

Item Value
ID S0201
Associated Names
Type MALWARE
Version 1.1
Created 18 April 2018
Last Modified 11 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.002 File Transfer Protocols JPIN can communicate over FTP.1
enterprise T1071.003 Mail Protocols JPIN can send email over SMTP.1
enterprise T1197 BITS Jobs A JPIN variant downloads the backdoor payload via the BITS service.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell JPIN can use the command-line utility cacls.exe to change file permissions.1
enterprise T1083 File and Directory Discovery JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.1
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification JPIN can use the command-line utility cacls.exe to change file permissions.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools JPIN can lower security settings by changing Registry keys.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion JPIN‘s installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.1
enterprise T1105 Ingress Tool Transfer JPIN can download files and upgrade itself.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging JPIN contains a custom keylogger.1
enterprise T1027 Obfuscated Files or Information A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups JPIN can obtain the permissions of the victim user.1
enterprise T1057 Process Discovery JPIN can list running processes.1
enterprise T1055 Process Injection JPIN can inject content into lsass.exe to load a module.1
enterprise T1012 Query Registry JPIN can enumerate Registry keys.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.1
enterprise T1082 System Information Discovery JPIN can obtain system information such as OS version and disk space.1
enterprise T1016 System Network Configuration Discovery JPIN can obtain network information, including DNS, IP, and proxies.1
enterprise T1033 System Owner/User Discovery JPIN can obtain the victim user name.1
enterprise T1007 System Service Discovery JPIN can list running services.1

Groups That Use This Software

ID Name References
G0068 PLATINUM 1

References