SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reaver (Back to overview)

Reaver

Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

References
2019-05-14CylanceCylance Research, Intelligence Team
@online{research:20190514:reaver:1c6651d, author = {Cylance Research and Intelligence Team}, title = {{Reaver: Mapping Connections Between Disparate Chinese APT Groups}}, date = {2019-05-14}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html}, language = {English}, urldate = {2019-12-24} } Reaver: Mapping Connections Between Disparate Chinese APT Groups
Reaver Sparkle
2017-11-10Palo Alto Networks Unit 42Josh Grunzweig, Jen Miller-Osborn
@online{grunzweig:20171110:new:12fdedb, author = {Josh Grunzweig and Jen Miller-Osborn}, title = {{New Malware with Ties to SunOrcal Discovered}}, date = {2017-11-10}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/}, language = {English}, urldate = {2019-12-20} } New Malware with Ties to SunOrcal Discovered
Reaver SunOrcal
Yara Rules
[TLP:WHITE] win_reaver_auto (20230407 | Detects win.reaver.)
rule win_reaver_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.reaver."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3d14050000 7504 33c0 c9 }
            // n = 4, score = 900
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               

        $sequence_1 = { 50 68ff010f00 ff15???????? 50 ff15???????? 85c0 7453 }
            // n = 7, score = 900
            //   50                   | push                eax
            //   68ff010f00           | push                0xf01ff
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55

        $sequence_2 = { 85c0 7440 8b45f4 6a00 8945e8 8b45f8 }
            // n = 6, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_3 = { 85c0 740d ff15???????? 3d14050000 7504 }
            // n = 5, score = 900
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6

        $sequence_4 = { 3d14050000 7504 33c0 c9 c3 }
            // n = 5, score = 900
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_5 = { 7453 8d45f4 50 ff7508 6a00 ff15???????? }
            // n = 6, score = 900
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_6 = { ff15???????? 50 ff15???????? 85c0 7453 8d45f4 }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_7 = { 85c0 740d ff15???????? 3d14050000 7504 33c0 c9 }
            // n = 7, score = 900
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               

        $sequence_8 = { ff15???????? 85c0 740d ff15???????? 3d14050000 }
            // n = 5, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514

        $sequence_9 = { 740d ff15???????? 3d14050000 7504 }
            // n = 4, score = 900
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules