S0186 DownPaper
DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. 1
| Item | Value |
|---|---|
| ID | S0186 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | DownPaper communicates to its C2 server over HTTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | DownPaper uses PowerShell for execution.1 |
| enterprise | T1059.003 | Windows Command Shell | DownPaper uses the command line.1 |
| enterprise | T1012 | Query Registry | DownPaper searches and reads the value of the Windows Update Registry Run key.1 |
| enterprise | T1082 | System Information Discovery | DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.1 |
| enterprise | T1033 | System Owner/User Discovery | DownPaper collects the victim username and sends it to the C2 server.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0059 | Magic Hound | 1 |