Register to stream ATT&CKcon 2.0 October 29-30


DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [1]

ID: S0186
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface DownPaper uses the command line. [1]
Enterprise T1086 PowerShell DownPaper uses PowerShell for execution. [1]
Enterprise T1012 Query Registry DownPaper searches and reads the value of the Windows Update Registry Run key. [1]
Enterprise T1060 Registry Run Keys / Startup Folder DownPaper uses PowerShell to add a Registry Run key in order to establish persistence. [1]
Enterprise T1071 Standard Application Layer Protocol DownPaper communicates to its C2 server over HTTP. [1]
Enterprise T1082 System Information Discovery DownPaper collects the victim host name and serial number, and then sends the information to the C2 server. [1]
Enterprise T1033 System Owner/User Discovery DownPaper collects the victim username and sends it to the C2 server. [1]

Groups That Use This Software

ID Name References
G0058 Charming Kitten [1]