WannaCry. Can it be configured?

General Question
1

Is there a way to set the bitcoin wallet address and other info on WannaCry. Or perhaps a clone of it that can be configured like that? The scammers I deal with more than deserve to suffer such a worrying tool and it would be ironic justice, plus some long overdue karma to make them pay us!

1 Like
2

good question, @Steve configured MEMZ so i’m sure he can see that

1 Like
3

* Steve was summoned *

Let’s see if I can help you :smile:

Unfortunately I do not have the source code of WannaCry, so there is only a “quick and dirty”-solution:

As explained in this technical analysis of WannaCry, originally it was planned to give every infected PC an unique Bitcoin Adress so that the payments of them can be distinguished. (That didn’t happend though because of a programming error).
WannaCry is configured to fall back to three hardcoded Bitcoin Adresses:

  1. 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  2. 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  3. 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

“Hardcoded” means that this exact string is placed somewhere in the program. So, what to do in order to change it?

  • Step 1: If not already happend, download the source (f.ex. from this github repo, pass: infected)
  • Step 2: Download the Hex-Editor of your choice. (The one I used is HxD Hex Edit)
  • Step 3: Use the Hex-Editor and locate one of the three strings by using CTRL+F, CTRL+C, CTRL+V.

pic1
pic11536×1102 88.3 KB

pic2
pic21536×1102 111 KB

  • Step 4: Overwrite ALL OF THESE THREE ADRESSES with your own because it is random which one of them will be used.
    THINGS TO KEEP IN MIND WHILE OVERWRITING:
    - If your desired Bitcoin Adress is shorter than the ones in the programm, you need to fill the space to the next adress with zero-byte characters (‘\0’). (Because a string is always terminated by a ‘\0’-char)
    - If the adress is longer, you can’t use it. Why? Because
    - You must not extend the file size. It needs to be the same, or the program will crash (it relies on hardcoded adresses.)

  • Step 5: Save the file & Enjoy.
    Edit: It should look like this:

    pic3
    pic3816×613 53.7 KB

If there are any questions, feel free to ask!

Disclaimer

  • Wannacry is considered malware. I am not responsible if you use this on your own PC or any other PC.
  • I do not encourage any form blackmailing / extorting money from anybody. I do think though you are old enough do decide for yourself if you want to use it. (There’s nothing worse than these people just answering to say “You are not allowed to do that!!!” )
4 Likes