From the course: Ethical Hacking: The Complete Malware Analysis Process
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Analyzing Win32.Sodin
From the course: Ethical Hacking: The Complete Malware Analysis Process
Analyzing Win32.Sodin
- [Narrator] Managed service providers are a tempting target for attackers because of the trusted access they have into their client base. One form of malware being used against MSPs is the Win32.Sodin ransomware, detected in March 2019 by Kaspersky. This has some interesting features such as the way it can execute 64-bit code as a 32-bit binary, and its use of Oracle WebLogic. A full analysis of the malware is provided by Kaspersky. Let's review it. The Sodin malware is spread through either the CVE-2019-2725 or 2729 vulnerabilities in Oracle's WebLogic, which allows the attacker to execute a PowerShell command to upload a dropper to the server. The dropper, when run, then installs the Sodin ransomware payload. The malware starts by escalating its privileges using the CVE-2018-8453 vulnerability. This vulnerability is what's known as a Use-After-Free attack which takes advantage of flawed logic in the call to the Window's DestroyWindow function in Win32k.sys. By executing this…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
-
(Locked)
Hiding malware5m 31s
-
(Locked)
Malware that changes its spots1m 49s
-
(Locked)
Polymorphic malware5m 37s
-
(Locked)
Using cryptography in ransomware5m 20s
-
(Locked)
Understanding advanced persistent threats1m 30s
-
(Locked)
Analyzing Win32.Sodin3m 50s
-
(Locked)
Analyzing black and grey energy7m 32s
-
(Locked)
Understanding log4shell4m 22s
-
(Locked)
-
-