Donex Ransomware Reverse Engineering & Binary Ninja Sidekick 2.0 Features (Stream - 07/10/2024)

In this stream we looked at the new features from Binary Ninja Sidekick 2.0 and reverse engineered the DoNex ransomware with Binary Ninja. Training: https://training.invokere.com/course/imbtbn Notes: https://github.com/Invoke-RE/stream-notes/tree/main/donex-ransomware Twitch: https://www.twitch.tv/InvokeReversing Twitter: https://twitter.com/InvokeReversing Mastodon: https://infosec.exchange/@invokereversing 0:00 Introduction 2:45 Reversing Donex and Sidekick Indexing with Workbench 16:13 AI Replacing Reverse Engineering Discussion 20:12 Exploring Sidekick Donex Crypto Functions Discovered 34:20 Answering Questions 40:34 Continuing Donex Reversing 43:17 Crypto Library Identification 45:17 Decrypting & Exploring Ransomware Configuration 56:22 Continuing Donex Reversing 1:00:36 Identifying Symmetric Encryption 1:05:32 Command Execution Functionality 1:07:32 Symmetric Key Generation 1:09:59 Icon for Encrypted Files & Base64 Identification 1:12:11 Multi-Threaded Encryption 1:18:21 Service Termination 1:20:09 Drive Enumeration 1:22:06 Network Share Enumeration 1:24:34 Anti-Forensics and Event Log Deletion 1:29:37 Process Termination and Restart Functionality 1:30:49 Wrap-Up