SYMBOLCOMMON_NAMEaka. SYNONYMS
win.reaver (Back to overview)

Reaver

VTCollection    

Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

References
2019-05-14CylanceCylance Research, Intelligence Team
Reaver: Mapping Connections Between Disparate Chinese APT Groups
Reaver Sparkle
2017-11-10Palo Alto Networks Unit 42Jen Miller-Osborn, Josh Grunzweig
New Malware with Ties to SunOrcal Discovered
Reaver SunOrcal
Yara Rules
[TLP:WHITE] win_reaver_auto (20230808 | Detects win.reaver.)
rule win_reaver_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.reaver."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85c0 7453 8d45f4 50 ff7508 }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_1 = { 50 ff7508 6a00 ff15???????? 85c0 7440 }
            // n = 6, score = 900
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42

        $sequence_2 = { ff15???????? 85c0 7453 8d45f4 }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_3 = { 85c0 7453 8d45f4 50 ff7508 }
            // n = 5, score = 900
            //   85c0                 | test                eax, eax
            //   7453                 | je                  0x55
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_4 = { 85c0 7440 8b45f4 6a00 8945e8 }
            // n = 5, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_5 = { 85c0 7440 8b45f4 6a00 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   6a00                 | push                0

        $sequence_6 = { 85c0 740d ff15???????? 3d14050000 7504 33c0 }
            // n = 6, score = 900
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 8bec 83ec1c 8d45fc 50 68ff010f00 }
            // n = 5, score = 900
            //   8bec                 | mov                 ebp, esp
            //   83ec1c               | sub                 esp, 0x1c
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   68ff010f00           | push                0xf01ff

        $sequence_8 = { 8bec 83ec1c 8d45fc 50 68ff010f00 ff15???????? 50 }
            // n = 7, score = 900
            //   8bec                 | mov                 ebp, esp
            //   83ec1c               | sub                 esp, 0x1c
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   68ff010f00           | push                0xf01ff
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { 85c0 740d ff15???????? 3d14050000 }
            // n = 4, score = 900
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   3d14050000           | cmp                 eax, 0x514

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules