HackedTCNJ

A new Windows bootloader virus crafted with the source code of the infamous Petya ransomware.

Comment

PLEASE read the installation instructions at the bottom BEFORE trying out this piece of malware! We are NOT responsible for any damages to your PC after running it.

Inspiration

When we created our first piece of malware built off the Petya ransomware, we had to work with extremely limited resources, as all we had off the ransomware was the executable itself, so we had to wrap it around another executable for us to modify it in some meaningful way. In addition, we weren't able to change the message displayed during the payload so we had to do a workaround and not display a message at all.

But now that the source code for the ransomware has been released, we finally have the ability to modify the Petya ransomware and create our own piece of malware out of it.

What it does

Just like the Petya ransomware, our piece of malware erases the Windows bootloader and encrypts the PC's hard drive, along with displaying a message. The primary difference between the original Petya and our HackedTCNJ is that our malware doesn't have a master decryption key like Petya, making it difficult, if not impossible to crack. In addition, we changed Petya's color scheme from red and white to a more traditional black and green. We also put in a message explaining why a user may have been infected, as it is due to their cookie addiction.

How we built it

After finding the source code, we got down to modifying the file to our liking. We changed the payload to display the message and color scheme of our choosing, and ensured that once the payload has been run, we weren't able to decrypt it using any encryption key.

Challenges we ran into

The first issue we ran into was finding the source code of Petya itself. After quite a bit of searching, we found a Visual Studio solution that allowed us to modify the program as we wanted to. However, we had issues when compiling it, as we realized that having certain characters like apostrophes and commas in the message actually prevented the malware from running for unknown reasons. We also realized that it was not possible to make our messages too long as they would either be cut off or also prevent the payload from executing properly.

Accomplishments that we're proud of

We were extremely proud that we were able to find the source code of an infamous piece of ransomware and modify it to our liking.

What we learned

Just like how it can be easy for one to modify an open-source project to their liking, it was shockingly easy to modify a piece of malware to fit our needs. This opened our eyes to just how crucial it is to stay secure online as it is incredibly easy for many to create a destructive piece of malware.

How to run it

Copy and paste the "try it out" link into a Windows 10 VIRTUAL MACHINE and then download it. Then open up the executable titled "HackedTCNJ.exe" and wait for the payload.

Again, please run it on a VIRTUAL MACHINE, NOT REAL HARDWARE!

We also recommend disconnecting your Internet before testing to prevent the malware from potentially spreading in your network.

There are great virtualization software choices for most platforms: For Windows and Linux, we recommend VMware Workstation Player, which is free for personal use but paid for commercial: https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html For an Intel-based Mac, we recommend VMware Fusion, which has a 30 day free evaluation period: https://www.vmware.com/products/fusion/fusion-evaluation.html

And for your convenience, here's a Windows 10 ISO: https://mega.nz/#!4ooymCjL!C6dyQ-9dwoq7ufUVnXww0ZbxY9mbYB6PqlW_p25aJBU To prevent possible infection of your physical system, make sure that you are creating a local account instead of a Microsoft account when setting up Windows 10.

We are NOT RESPONSIBLE if you open the malware outside of virtualization software and your PC is bricked.

-Dylan Hoppe and Steven Schiavone

Share this project:

Updates