Variant of the JPin backdoor

Hunt Hypothesis

The detection identifies potential Variant of the JPin backdoor activity, which may indicate unauthorized remote access or persistence mechanisms. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage compromise in their Azure Sentinel environment.

YARA Rule

rule Trojan_Win32_Plaplex 
{

    meta:
        author = "Microsoft"
        description = "Variant of the JPin backdoor"
        original_sample_sha1 = "ca3bda30a3cdc15afb78e54fa1bbb9300d268d66"
        unpacked_sample_sha1 = "2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $class_name1 = "AVCObfuscation"
        $class_name2 = "AVCSetiriControl"
    
    condition:
        $class_name1 and $class_name2
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Update or disk cleanup, may use processes that resemble the JPin backdoor’s behavior.
  Filter/Exclusion: Exclude processes associated with schtasks.exe or taskhost.exe running scheduled tasks with known legitimate names (e.g., Windows Update or Disk Cleanup).

• Scenario: Java Application Deployment
  Description: A Java-based application (e.g., Apache Tomcat, Jenkins, or Jira) may execute scripts or binaries that trigger the same network or file system activity as the JPin backdoor.
  Filter/Exclusion: Exclude processes with java in the command line and associated with known application servers or CI/CD tools (e.g., tomcat, jenkins, jira).

• Scenario: Admin Task for Log File Rotation
  Description: An admin task, such as log file rotation using logrotate or rsyslog, may involve file system operations that match the JPin backdoor’s behavior.
  Filter/Exclusion: Exclude processes related to logrotate, rsyslog, or syslog-ng that are configured for legitimate log management.

• Scenario: Antivirus or EDR Scan
  Description: Antivirus or EDR tools (e.g., CrowdStrike, SentinelOne, or Bitdefender) may perform file scanning or memory inspection that triggers the same detection logic as the JPin backdoor.
  Filter/Exclusion: Exclude processes with known EDR/AV tool names (e.g., CrowdStrike, SentinelOne, Bitdefender) or those running under the EDR agent process name.

• Scenario: Database Backup Job
  Description: A database backup job using tools like `mysqld