Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]

ID: S0351
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1041Exfiltration Over Command and Control ChannelCannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[1]
EnterpriseT1083File and Directory DiscoveryCannon can obtain victim drive information as well as a list of folders in C:\Program Files.[1]
EnterpriseT1057Process DiscoveryCannon can obtain a list of processes running on the system.[1][2]
EnterpriseT1105Remote File CopyCannon can download a payload for execution.[1]
EnterpriseT1113Screen CaptureCannon can take a screenshot of the desktop.[1]
EnterpriseT1071Standard Application Layer ProtocolCannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[1]
EnterpriseT1082System Information DiscoveryCannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.[1][2]
EnterpriseT1033System Owner/User DiscoveryCannon can gather the username from the system.[1]
EnterpriseT1124System Time DiscoveryCannon can collect the current time zone information from the victim’s machine.[1]
EnterpriseT1065Uncommonly Used PortCannon uses port 587 for C2.[1]
EnterpriseT1004Winlogon Helper DLLCannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.[1]


Groups that use this software: