DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [1]

ID: S0186
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface DownPaper uses the command line.[1]
Enterprise T1086 PowerShell DownPaper uses PowerShell for execution.[1]
Enterprise T1012 Query Registry DownPaper searches and reads the value of the Windows Update Registry Run key.[1]
Enterprise T1060 Registry Run Keys / Startup Folder DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[1]
Enterprise T1071 Standard Application Layer Protocol DownPaper communicates to its C2 server over HTTP.[1]
Enterprise T1082 System Information Discovery DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[1]
Enterprise T1033 System Owner/User Discovery DownPaper collects the victim username and sends it to the C2 server.[1]


Groups that use this software:

Charming Kitten