ATT&CK v16 has been released! Check out the blog post for more information.

DownPaper

DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. ^[1]

ID: S0186

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 16 January 2018

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	DownPaper communicates to its C2 server over HTTP.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	DownPaper uses PowerShell for execution.^[1]
		.003	Command and Scripting Interpreter: Windows Command Shell	DownPaper uses the command line.^[1]
Enterprise	T1012		Query Registry	DownPaper searches and reads the value of the Windows Update Registry Run key.^[1]
Enterprise	T1082		System Information Discovery	DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.^[1]
Enterprise	T1033		System Owner/User Discovery	DownPaper collects the victim username and sends it to the C2 server.^[1]

Groups That Use This Software

ID	Name	References
G0059	Magic Hound	^[1]

References

ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.