 Hello, DDS Stevens here. This is a Twitter account of Benjamin Delpy, Jean Tikiwi, the author of Mimicuts, with his profile picture here, a .png file. And I did download that .png file and I created from that .png file another .png file into which I have injected Mimicuts.exe, a small tribute to Benjamin. So here I have the original one and here the one into which I also injected Mimicuts. As you can see it's also renders perfectly. So let's take a look with my analysis tool for .png files, .png dump. That's the output that we have. So a header, the expected header is present and then a list of chunks. Each chunk has a position of course, an identifier, 4 bytes, I header, I dot, I end, a length because most chunks have data and then there is also a CRC32 code for that data that my tool validates. The I header chunk has information like the width, the height, the bits, color type, compression method, filter method, interlace method. Compression method, the standard only supports one compression method, zero, that is ZLIP compression. The bitmap is ZLIP compressed and stored in these IDAT chunks. So all of these chunks except the last one have a size of 2,000, something that can be chosen and if you extract the data from all of those IDATs and put them together then you can decompress the data. So my tool here found 13 IDATs, total length 102,372 and this can be decompressed into the bitmap, 230,640 bytes. The size of one line of pixels, the scan line is 960 bytes and that corresponds to the calculation here and then each line is filtered according to a certain type. For example, subtraction filter, up filter, that's what we have here, all normal. We have in total 240 of those filters scan lines, 240 of scan lines and that corresponds to the height, so all of this here is normal. This is extra information that I'm still working on. Okay, now let's look at that special PNG file that I made and that's what you get. Way more output, let's pipe this through more. Okay, and so we have the same header and then IDATs, but we have way more IDATs. 52 in total, the length is larger, decompressed length is also larger, scan lines size 960, that's okay. The last scan line is too short by 612 bytes, so that's abnormal and then we have the five normal filters, non-sub-up average part, but then also a bunch of unknown filters and that is because of the Mimicats executable that I appended after the bitmap, that's what we are seeing here. The height as set in the header is 240, but if we count the number of scan lines, the number of fields, we have 909, so there is extra data. The tool extracts that extra data, that's the size and as you can see it starts with MZ, so this is the PE file Mimicats. I can select all of the IDATs, so that gives me the compressed bitmap, that's a compressed bitmap. I can also select the decompressed bitmap, so that is the bitmap and then followed by the Mimicats executable and finally here in this image because there is extra data, I can also select that extra data like this, that's the Mimicats executable. I can do a binary dump and pipe this into PE check, mild tool to analyze PE files and it is indeed an PE file and let's wrap for Mimi and here we have Mimicats. If we calculate the hash, actually PE check shows us the hash at the beginning here. Let me take the hash, look that up on virus total, so that is indeed Mimicats with as can be expected, a really high number of detections. This is also an older version of Mimicats and if I take the hash of that special PNG file that I made, so again the profile picture of Banjan Metal PE followed by the Mimicats executable. If I look that up, I did submit that about two weeks ago to virus total, here you have it as you can see zero detections. So this is my small tribute to all of the work that Banjan Metal PE has been doing for us. Merci Banjan Metal PE.