Make your malware seem like an image

Before we start by creating our malware, it’s important to make it seem like another file, it would be worth nothing if you create the world’s most powerful virus, but when you send it to a victim they see a file “virus.exe”. In order to trick our target with files like “dolphin.png” or something like that.

You’ll need WinRAR installed (by the purposes of this course I’ll be using wine as I don’t have Windows installed). To install WinRAR you simply have to navigate to their website https://www.rarlab.com/ and choose “Windows (64-bit)”.

Once WinRAR is installed, we’ll need an “.exe” file (which would be our virus) and another file - i’ll be using an image -.

Now, you’ll have to fire up a web browser and navigate to the ICO Converter website. Once you are there, a page like the following will be shown:

First, you’ll need to choose the image you chose before by clicking the “Browse” button. When you have already done that, now, in the “Sizes” section you’ll deselect all the selected options and click ONLY “64 pixels” and finally, click “Convert”. An “.icon” file will be downloaded to your computer.

When the “.ico” file is already downloaded, you’ll fire up WinRAR, you will choose both the image and the “.exe” file and click the button “Add”. A window like the following will appear:

The first thing you’d need to change is the content of “Archive name” replacing it for the name of your image, in my case it would be: “image.jpg”, in the “Archiving options” section, you’ll select the “Create SFX archive” option.

After that, go to the “Advanced” tab and clic the “SFX Options” button, again, another window will be opened.

Once there, go to the “Setup” tab and in the first textbox you’ll write the name of the files which are going to be executed after the disguised malware we are creating is opened, in this case, the image we chose and then the executable file as it is shown in the following image:

In the “Modes” tab, click the “Unpack to temporary folder” and in the “Silent Mode” section you’ll select the “Hide all” option. Your configuration MUST look like it is shown in this image:

Then, go to the “Text and Icon” tab and clic the “Browse” button, when a file chooser window is opened we’ll look for the “.ico” file we converted and downloaded before.

And finally, in the “Update” tab, we’ll choose “Extract and update files” in the “Update mode” section, and “Overwrite all files” in the “Overwrite mode” section, the configuration should look like in this image:

Press “Ok” in all the windows that popped up and now, wait for a few instants and you’ll see a file called “image.jpg.exe”, when that file is opened both the image viewer with the image you chose and the malware will be extracted, moved to a temporal location and executed.