Skip to content

S0067 pngdowner

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple “download-and- execute” utility. 1

Item Value
ID S0067
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols pngdowner uses HTTP for command and control.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion pngdowner deletes content from C2 communications that was saved to the user’s temporary directory.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files If an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.1

Groups That Use This Software

ID Name References
G0024 Putter Panda 1

References

Back to top