JPin backdoor

Hunt Hypothesis

The JPin backdoor detection rule identifies potential adversary persistence by leveraging Java-based persistence mechanisms, which may indicate unauthorized long-term access to a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate stealthy, persistent threats that evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Plapiio
{

    meta:
        author = "Microsoft"
        description = "JPin backdoor"
        original_sample_sha1 = "3119de80088c52bd8097394092847cd984606c88"
        unpacked_sample_sha1 = "3acb8fe2a5eb3478b4553907a571b6614eb5455c"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $str1 = "ServiceMain"
        $str2 = "Startup"
        $str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}

    condition:
        $str1 and $str2 and $str3
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using jps or jstat
  Description: A system administrator runs jps or jstat as part of routine Java process monitoring.
  Filter/Exclusion: Check for command-line arguments or process owner (user.name == “admin” or process.parent.name == “systemd”) and exclude known monitoring tools.

• Scenario: Java-based backup tool execution
  Description: A legitimate backup tool (e.g., Veeam, Commvault, or Dell EMC Data Domain) uses Java components and may trigger the rule due to similar process names.
  Filter/Exclusion: Exclude processes where process.name matches known backup tools or check for presence of specific configuration files in the working directory.

• Scenario: Java application deployment using jps for process verification
  Description: A DevOps engineer uses jps to verify that a Java application (e.g., Spring Boot, Apache Kafka, or Jenkins) is running correctly after deployment.
  Filter/Exclusion: Exclude processes where process.name matches known application names or check for presence of deployment scripts in the execution path.

• Scenario: Java-based logging or monitoring tool (e.g., Log4j, ELK Stack) running in the background
  Description: A logging or monitoring tool (e.g., Log4j, Kibana, or Grafana) may have Java components that trigger the rule.
  Filter/Exclusion: Exclude processes where process.name matches known logging or monitoring tools or check for presence of specific log directories or configuration files.

• Scenario: Java-based scheduled job (e.g., cron, Windows Task Scheduler) running a legitimate script
  Description: A scheduled job (e.g., `