Refs:
- https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/
- https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
- https://github.com/Finch4/Malware-Analysis-Reports/tree/master/MountLocker
- Parse
RecoveryManual.html
content in memory and fill%CLIENT_ID%
:
// Generate CLIENT_ID
for ( client_id_pos = StrStrIA(psz_recovery_manual_ransom_note, "%CLIENT_ID%");
client_id_pos;
client_id_pos = StrStrIA(psz_recovery_manual_ransom_note, "%CLIENT_ID%") )
{
cnt = 32i64;
client_id_str = g_str_879538e20b82e80052dd5f7ef9ad5077;
// replace %CLIENT_ID% with generated client_id
// first 32 bytes is "879538e20b82e80052dd5f7ef9ad5077"
// and the rest 32 bytes is random value
do
{
client_id_str[client_id_pos - g_str_879538e20b82e80052dd5f7ef9ad5077] = *client_id_str;
++client_id_str;
--cnt;
}
while ( cnt );
ptr_curr_pos = client_id_pos + 32;
for ( j = 0i64; j < 16; ++j )
{
*ptr_curr_pos = str_0123456789abcdef[(unsigned __int64)(unsigned __int8)szComputerName[j] >> 4];
ptr_next_pos = ptr_curr_pos + 1;
ch_ = szComputerName[j];
*ptr_next_pos = str_0123456789abcdef[ch_ & 0xF];
ptr_curr_pos = ptr_next_pos + 1;
}
}