Slicing up DoNex with Binary Ninja

MITRE Techniques

• [T1564.001] Hide Artifacts – The binary hides the attached console window by getting a handle to the window with FindWindowA and setting visibility to hidden via ShowWindow(…SW_HIDE…). – “the main function starts by getting a handle to the attached console window with ‘FindWindowA’, and setting the visibility to hidden by calling ‘ShowWindow’ and passing ‘SW_HIDE’ as a parameter.”
• [T1112] Modify Registry – Drops an icon and sets it as the default icon via RegCreateKeyExA/RegSetValueExA to associate icons with encrypted files. – “create keys in the device registry through use of ‘RegCreateKeyExA’, and ‘RegSetValueExA’, to set it as the default file icon for newly encrypted files.”
• [T1083] File and Directory Discovery – Enumerates files on targeted drives with FindFirstFileW/FindNextFileW and applies a blacklist during iteration. – “Files are then iterated through using ‘FindFirstFileW’ and ‘FindNextFileW’, and checked against a file blacklist (‘checkFileBlacklist’) to avoid encrypting critical system files.”
• [T1033] Account Discovery – Uses GetTokenInformation to identify user account information tied to the token, notably the SID. – “Using the access token handle, ‘GetTokenInformation’ is called to identify the user account information tied to the token, most notably the SID.”
• [T1069.001] Permission Groups Discovery – Allocates an administrator SID and compares it against the current token to determine admin rights. – “the SID for the administrators group is allocated and initialized… EqualSid is called to compare the SID from derived from the token information against the newly initialized SID for the administrators group.”
• [T1135] Network Share Discovery – Enumerates accessible network shares via Windows Networking API and attempts connections to shares. – “Network shares are enumerated through use of the Windows Networking API (‘WNetOpenEnumW’), and connections are made to shares that are accessible by the current acting user account (‘WNetEnumResourceW’ and ‘WNetAddConnection2W’).”
• [T1486] Data Encrypted for Impact – After preparation, the malware encrypts files on disk and on network shares as part of the encryption flow. – “The encryption setup function (renamed to ‘mainEncryptSetup’) which handles … encryption is called.”
• [T1070.001] Clear Windows Event Logs – Cleans up application, system, and security event logs as part of cleanup. – “the application, system, and security event logs are erased (‘OpenEventLogA’ and ‘ClearEventLogA’).”
• [T1059] Command and Scripting Interpreter – Drops and executes a batch file (1.bat) via WinExec to perform actions like pinging localhost and killing processes. – “This function (renamed to ‘batRun’) drops a looping batch file (‘1.bat’), and executes it with ‘WinExec’, which pings the localhost address, and uses ‘taskkill’ to kill processes…”
• [T1569.002] Service Execution / Service Stop – The sample creates a connection to the service control manager and can stop services via OpenSCManagerA/OpenServiceA/ControlService. – “creates a connection to the service control manager … OpenSCManagerA, OpenServiceA, … ControlService.”