1. Home
  2. Software
  3. pngdowner

pngdowner

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and-execute" utility. [1]

ID: S0067
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 应用层协议: Web Protocols

pngdowner uses HTTP for command and control.[1]
Enterprise T1552 .001 未加密凭证: Credentials In Files

If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[1]
Enterprise T1070 .004 移除指标: File Deletion

pngdowner deletes content from C2 communications that was saved to the user's temporary directory.[1]

Groups That Use This Software

ID Name References
G0024 Putter Panda

[1]

References

  1. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.