S0351 Cannon
Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. 12
| Item | Value |
|---|---|
| ID | S0351 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 30 January 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.003 | Mail Protocols | Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.004 | Winlogon Helper DLL | Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.1 |
| enterprise | T1083 | File and Directory Discovery | Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.1 |
| enterprise | T1105 | Ingress Tool Transfer | Cannon can download a payload for execution.1 |
| enterprise | T1057 | Process Discovery | Cannon can obtain a list of processes running on the system.12 |
| enterprise | T1113 | Screen Capture | Cannon can take a screenshot of the desktop.1 |
| enterprise | T1082 | System Information Discovery | Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.12 |
| enterprise | T1033 | System Owner/User Discovery | Cannon can gather the username from the system.1 |
| enterprise | T1124 | System Time Discovery | Cannon can collect the current time zone information from the victim’s machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 12 |