Register to stream ATT&CKcon 2.0 October 29-30


Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [1][2]

ID: S0351
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1041 Exfiltration Over Command and Control Channel Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels. [1]
Enterprise T1083 File and Directory Discovery Cannon can obtain victim drive information as well as a list of folders in C:\Program Files. [1]
Enterprise T1057 Process Discovery Cannon can obtain a list of processes running on the system. [1] [2]
Enterprise T1105 Remote File Copy Cannon can download a payload for execution. [1]
Enterprise T1113 Screen Capture Cannon can take a screenshot of the desktop. [1]
Enterprise T1071 Standard Application Layer Protocol Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails. [1]
Enterprise T1082 System Information Discovery Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information. [1] [2]
Enterprise T1033 System Owner/User Discovery Cannon can gather the username from the system. [1]
Enterprise T1124 System Time Discovery Cannon can collect the current time zone information from the victim’s machine. [1]
Enterprise T1065 Uncommonly Used Port Cannon uses port 587 for C2. [1]
Enterprise T1004 Winlogon Helper DLL Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence. [1]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2]