Skip to content

S0351 Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. 12

Item Value
ID S0351
Associated Names
Version 1.1
Created 30 January 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.003 Mail Protocols Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.004 Winlogon Helper DLL Cannon adds the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon to establish persistence.1
enterprise T1041 Exfiltration Over C2 Channel Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.1
enterprise T1083 File and Directory Discovery Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.1
enterprise T1105 Ingress Tool Transfer Cannon can download a payload for execution.1
enterprise T1057 Process Discovery Cannon can obtain a list of processes running on the system.12
enterprise T1113 Screen Capture Cannon can take a screenshot of the desktop.1
enterprise T1082 System Information Discovery Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.12
enterprise T1033 System Owner/User Discovery Cannon can gather the username from the system.1
enterprise T1124 System Time Discovery Cannon can collect the current time zone information from the victim’s machine.1

Groups That Use This Software

ID Name References
G0007 APT28 12