Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

DownPaper

DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [1]

ID: S0186
Aliases: DownPaper
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
DownPaper[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceDownPaper uses the command line.[1]
EnterpriseT1086PowerShellDownPaper uses PowerShell for execution.[1]
EnterpriseT1012Query RegistryDownPaper searches and reads the value of the Windows Update Registry Run key.[1]
EnterpriseT1060Registry Run Keys / Startup FolderDownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[1]
EnterpriseT1071Standard Application Layer ProtocolDownPaper communicates to its C2 server over HTTP.[1]
EnterpriseT1082System Information DiscoveryDownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[1]
EnterpriseT1033System Owner/User DiscoveryDownPaper collects the victim username and sends it to the C2 server.[1]

Groups

Groups that use this software:

Charming Kitten

References