Skip to content

Hide Navigation Hide TOC

Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29)

Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.(Citation: Palo Alto Reaver Nov 2017)

Cluster A Galaxy A Cluster B Galaxy B Level
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware Reaver (826c31ca-2617-47e4-b236-205da3881182) Malpedia 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Reaver - S0172 (65341f30-bec6-4b1d-8abf-1a5620446c29) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2