Skip to content

S0172 Reaver

Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the “Five Poisons,” which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.1

Item Value
ID S0172
Associated Names
Version 1.1
Created 16 January 2018
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Some Reaver variants use HTTP for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Reaver encrypts collected data with an incremental XOR key prior to exfiltration.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.1
enterprise T1547.009 Shortcut Modification Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Reaver installs itself as a new service.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Reaver deletes the original dropped file from the victim.1
enterprise T1095 Non-Application Layer Protocol Some Reaver variants use raw TCP for C2.1
enterprise T1027 Obfuscated Files or Information Reaver encrypts some of its files with XOR.1
enterprise T1012 Query Registry Reaver queries the Registry to determine the correct Startup path to use for persistence.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.002 Control Panel Reaver drops and executes a malicious CPL file as its payload.1
enterprise T1082 System Information Discovery Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.1
enterprise T1016 System Network Configuration Discovery Reaver collects the victim’s IP address.1
enterprise T1033 System Owner/User Discovery Reaver collects the victim’s username.1


Back to top