Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

pngdowner

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [1]

ID: S0067
Aliases: pngdowner
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1081Credentials in FilesIf an initial connectivity check fails, pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.[1]
EnterpriseT1107File Deletionpngdowner deletes content from C2 communications that was saved to the user's temporary directory.[1]
EnterpriseT1071Standard Application Layer Protocolpngdowner uses HTTP for command and control.[1]

Groups

Groups that use this software:

Putter Panda

References