Threat Research

Donex Ransomware

admin

DoNex is a new Windows-based ransomware family that performs local and network file discovery, stops interfering services/processes, encrypts data with salsa20/chacha20, clears event logs, and forces a reboot. Analysis and a YARA rule for the sample (SHA256 0adde4246…) were published by ShadowStackRe. #DoNex #ShadowStackRe

Keypoints

  • Encrypts local and network files using salsa20/chacha20 ciphers.
  • Performs file and directory discovery with FindFirstFile/FindNextFile and enumerates network shares via WNetOpenEnum/WNetEnumResource.
  • Stops services and terminates processes (using OpenSCManager/OpenService/ControlService and OpenProcess/TerminateProcess) to free files for encryption.
  • Uses multiple threads (task killer, service manager, file walker, encryption) synchronized via semaphores and CreateThread/WaitForSingleObject.
  • Pre-encryption setup includes a mutex (‘CheckMutex’), WoW64 detection and disabling of redirection, and acquiring a cryptographic context with CryptAcquireContextA/CryptGenRandom.
  • Removes recovery traces: deletes all recycle bin files across drives and clears Windows event logs (application, system, security) before rebooting.
  • Deploys a readable ransom note pattern ‘ReadMe..txt’ and includes observable artifacts (C:ProgramData1.bat, C:ProgramDataicon.ico) detectable by YARA.

MITRE Techniques

  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – used to run a dropped batch file via WinExec to invoke cmd (‘Attempts to setup a new bat file, and execute it via the ‘WinExec’ function. This will invoke the ‘cmd’ shell to run the bat file.’).
  • [T1083] File and Directory Discovery – uses FindFirstFile/FindNextFile to enumerate files and build an encryption list (‘the ‘FindFirstFile’ and ‘FindNextFile’ function call to obtain a handle to a file and iterate from the top of the logical disk to all files.’).
  • [T1135] Network Share Discovery – enumerates network shares via WNetOpenEnum and WNetEnumResource to find remote files (‘make use of the ‘WNetOpenEnum’ and ‘WNetEnumResource’ to enumerate network shares, which can be used to discover files.’).
  • [T1486] Data Encrypted for Impact – encrypts discovered files using stream ciphers (salsa20/chacha20) (‘Data is encrypted with salsa20/chacha20.’).
  • [T1070.001] Clear Windows Event Logs – removes traces by opening and clearing event logs (application, system, security) (‘clear the event logs by first getting a handle via the ‘OpenEventLog’ and clearing the logs via the ‘ClearEventLog’ functions and target the ‘application’, ‘system’ and ‘security‘ logs.’).
  • [T1490] Inhibit System Recovery – deletes recycle bin contents across drives to reduce recovery options (‘will delete all files in all recycle bins across each drive without a confirmation dialog box.’).
  • [T1489] Service Stop (Impact) – stops services that could block encryption by using OpenSCManager/OpenService/QueryServiceStatusEx and ControlService (‘calling the ‘OpenService’ and ‘QueryServiceStatusEx’ functions … continue on to stop the service via the ‘ControlService’ function passing in a new state of ‘SERVICE_CONTROL_STOP’.’).

Indicators of Compromise

  • [File Hash] Sample build – 0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca
  • [File path] Dropped artifacts and scripts – C:ProgramData1.bat, C:ProgramDataicon.ico
  • [Filename pattern] Ransom note pattern – ReadMe.<VictimID>.txt
  • [Mutex / Strings] In-memory/static strings used by malware – ‘CheckMutex’, ‘encryption_thread’, ‘walk_thread’ (also present in YARA rule)
  • [YARA] Detection rule reference – ShadowStackRe YARA rule (contains above strings and hash)

The encryptor’s runtime begins by hiding its console window and enforcing a single instance via a mutex named ‘CheckMutex’. It resolves and calls IsWow64Process and may disable WoW64 file system redirection to ensure commands run in the correct environment, then acquires a cryptographic context using legacy APIs (CryptAcquireContextA, CryptGenRandom). The sample updates the registry DefaultIcon to ‘C:ProgramDataicon.ico’ and deletes all recycle bin contents across drives.

Execution spawns multiple threads: a TaskKiller thread that drops and runs a .bat via WinExec/cmd to kill interfering processes; a Service Manager thread that opens the local service manager (OpenSCManager), queries services (OpenService, QueryServiceStatusEx) and sends SERVICE_CONTROL_STOP via ControlService for targeted services (e.g., database and office-related services); a File Walker that enumerates local drives (GetLogicalDriveStrings, GetDriveType) and files (FindFirstFile/FindNextFile) and enumerates network shares (WNetOpenEnum/WNetEnumResource) to build an encryption list while honoring built-in allow/deny lists.

Before encrypting each file, the encryptor uses the Windows Restart Manager (RmStartSession, RmGetList) to identify and terminate locking processes (OpenProcess, TerminateProcess). Files are encrypted using salsa20/chacha20. Prior to exit it clears Windows event logs (OpenEventLog, ClearEventLog for Application/System/Security), removes the local batch file (C:ProgramData1.bat), and forces an immediate reboot using shutdown -r -f -t. A ransom note is left as ReadMe.<VictimID>.txt and a YARA rule and sample hash are provided for detection.

Read more: https://www.shadowstackre.com/analysis/donex

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint