A JPEG With A Payload

    Published: 2025-06-16. Last Updated: 2025-06-16 08:59:44 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    Over the weekend, Xavier posted about another image with a payload: "More Steganography!".

    Xavier did a static analysis, and I want to explain how you can decode the payload if you opted for a dynamic analysis.

    During your dynamic analysis, you will notice the download of a JPEG image from hxxps://zynova[.]kesug[.]com/new_image.jpg.

    You can use my tool jpegdump.py to analyze this file:

    You can see that data is appended (after EOI, End Of Image). Notice *trailing*.

    This can be selected:

    Notice the TVqQ that Xavier pointed out. That's BASE64 encoding of MZ, the magic header of a PE file.

    But the @ character is unexpected. That's not part of the BASE64 standard. So let's do some statistics with byte-stats.py:

    So we see that all the letters appears in this payload, except for letter A. Let's try out an hypothesis: character @ is a substitute for character A.

    That's indeed the case, base64dump.py finds a huge BASE64 string, that once decoded starts with MZ.

    If you want to see the SHA256 hash in stead of the MD5 hash, so that we can compare it with what Xavier published, you can set environment variable DSS_DEFAULT_HASH_ALGORITHMS.

    And that's the same hash as Xavier published for the .NET DLL.

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)
    ISC Stormcast For Monday, June 16th, 2025 https://isc.sans.edu/podcastdetail/9494

      Comments

      Login here to join the discussion.


      Diary Archives