The sub-techniques beta is now live! Read the release blog post for more info.


Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]

ID: S0351
Platforms: Windows
Version: 1.0
Created: 30 January 2019
Last Modified: 22 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1041 Exfiltration Over Command and Control Channel

Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[1]

Enterprise T1083 File and Directory Discovery

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.[1]

Enterprise T1057 Process Discovery

Cannon can obtain a list of processes running on the system.[1][2]

Enterprise T1105 Remote File Copy

Cannon can download a payload for execution.[1]

Enterprise T1113 Screen Capture

Cannon can take a screenshot of the desktop.[1]

Enterprise T1071 Standard Application Layer Protocol

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[1]

Enterprise T1082 System Information Discovery

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[1][2]

Enterprise T1033 System Owner/User Discovery

Cannon can gather the username from the system.[1]

Enterprise T1124 System Time Discovery

Cannon can collect the current time zone information from the victim’s machine.[1]

Enterprise T1065 Uncommonly Used Port

Cannon uses port 587 for C2.[1]

Enterprise T1004 Winlogon Helper DLL

Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2]