DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [1]

ID: S0186
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

DownPaper communicates to its C2 server over HTTP.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

DownPaper uses PowerShell for execution.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

DownPaper uses the command line.[1]

Enterprise T1012 Query Registry

DownPaper searches and reads the value of the Windows Update Registry Run key.[1]

Enterprise T1082 System Information Discovery

DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[1]

Enterprise T1033 System Owner/User Discovery

DownPaper collects the victim username and sends it to the C2 server.[1]

Groups That Use This Software

ID Name References
G0059 Magic Hound