JPIN
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1197 | BITS任务 |
A JPIN variant downloads the backdoor payload via the BITS service.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
JPIN can use the command-line utility cacls.exe to change file permissions.[1] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
JPIN can lower security settings by changing Registry keys.[1] |
| Enterprise | T1071 | .002 | 应用层协议: File Transfer Protocols | |
| .003 | 应用层协议: Mail Protocols | |||
| Enterprise | T1083 | 文件和目录发现 |
JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.[1] |
|
| Enterprise | T1222 | .001 | 文件和目录权限修改: Windows File and Directory Permissions Modification |
JPIN can use the command-line utility cacls.exe to change file permissions.[1] |
| Enterprise | T1069 | .001 | 权限组发现: Local Groups | |
| Enterprise | T1012 | 查询注册表 | ||
| Enterprise | T1027 | 混淆文件或信息 |
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[1] |
| Enterprise | T1082 | 系统信息发现 |
JPIN can obtain system information such as OS version and disk space.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
JPIN can obtain network information, including DNS, IP, and proxies.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[1] |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | 进程注入 | ||