modiloader | 0899f8e27603d59e65f1062cee9cb7cd_JaffaCakes118 | Triage

Sharing

General

Target

0899f8e27603d59e65f1062cee9cb7cd_JaffaCakes118
Size

46KB
MD5

0899f8e27603d59e65f1062cee9cb7cd
SHA1

385f5edc96285869789a17c650df1a1cca5ceee9
SHA256

f4695d4e112b1edfcca6c908d9e05312ad730af4299370fd67012efd8ed423f7
SHA512

311a21737f0e458c3df07db6763a68b675a55975b76e58c2b958659a5104f3bc234b3c5fd99d45885aaaf782373bd0acdb76def05e422f02590be1d8725dc26d
SSDEEP

768:V88t3HdfNSvuh0ZHQRZcgqYN/an6Y7vWwdPXgG3VYX:V7vYuh0ZHYZcsn4OkoeYX

Score

10^/10

modiloader

Malware Config

Signatures

ModiLoader Second Stage 1 IoCs

resource	yara_rule
sample	modiloader_stage2

Modiloader family
modiloader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0899f8e27603d59e65f1062cee9cb7cd_JaffaCakes118

Files

0899f8e27603d59e65f1062cee9cb7cd_JaffaCakes118
.dll regsvr32 windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
JmpHookOff
JmpHookOn

Sections

CODE
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 512B - Virtual size: 344B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 202B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ