 Hello, Lidia Stavens here, senior editor at the internet storm center. My diary entry here, PNG analysis, shows you a bit how to use my tool PNG dump to analyze malicious PNG files and minine PNG files. So I'm going to show you one that is also here in the diary entry and it's one with an iced ID payload. So I run my tool PNG dump on that file and so first of all here you get different items, a header and then chunks all in the structure of the PNG file with here the position where it is found. After the header, the default header, you have different chunks, they have a name for bytes like here I header, srgb, gamma, fist, i, that, I end and I end is the end of the PNG file. Then you have the length of each chunk and a chunk as also a CRC32 code for the data that it has and the tool checks of that checksum is correct. So here everything looks okay. So this image 3930 pixels width, 19998, 8 color bits, color type 2 and then compression method 0, filter method 0, interlace method 0. Compression method 0 means that the data of the image, the bitmap that is contained in IDAT is ZLIP compressed and up to now that's the only compression supported by the PNG format so everything that is in IDAT here, that data and you can have more than one IDAT entries. Well that is one long compressed stream and here my tool gathers all the information from the IDATs and then tries to decompress this and on this image here this fails. So although the structure of this image is correct, there is actually no valid bitmap here in here because it cannot be decompressed. So this image cannot be rendered and that is where the ICID is hidden. So I can select the uncompressed IDATs in raw format without the compression. All of the data is in there like this and that's the data and if I do a binary dump of that data and put this into my byte stats tool you can see a very high entropy, almost 8. That's because that data here is RC4 encrypted and I wrote a small script based on existing scripts I can find on GitHub to decrypt this information so I made a small script decrypt ICID with a decrypt function and a check function that you can use with my translate tool. So you select the IDATs here and then you run my translate tool that takes input in byte format. There is a transformation on it and then outputs bytes so we are going to load a script here that's that decrypt script that I made and we are going to run on the full stream not byte per byte but on the full stream in one go and first we run the check function. Then we get this output that offset zero a header was found and this is a typical header for that ICID shell code RC4 encryption the decrypted size the shell code entry point and then the size here shell code and then I can also decrypt this now this will spit out binary data so what I'm going to do is just pipe this into my strings tool and then we can at least see some strings so here now we have decrypted data because if we run this on the decrypted data we don't get any readable strings.