DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [1]

ID: S0186
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceDownPaper uses the command line.[1]
EnterpriseT1086PowerShellDownPaper uses PowerShell for execution.[1]
EnterpriseT1012Query RegistryDownPaper searches and reads the value of the Windows Update Registry Run key.[1]
EnterpriseT1060Registry Run Keys / Startup FolderDownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[1]
EnterpriseT1071Standard Application Layer ProtocolDownPaper communicates to its C2 server over HTTP.[1]
EnterpriseT1082System Information DiscoveryDownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[1]
EnterpriseT1033System Owner/User DiscoveryDownPaper collects the victim username and sends it to the C2 server.[1]


Groups that use this software:

Charming Kitten