# DarkMegi rootkit - sample (distributed via Blackhole) **[contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html](http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html)** Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to [Stopmalvertising to read](http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html) This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post. Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share, I will link to. **File information** ----- Size: 77312 MD5: 6C8F9658A390C24A9F4551DC15063927 **Download** [Download (email me if you need the password scheme)](http://www.mediafire.com/?799tdntibvw2nu1) [Download the modified / created files and analysis data](http://www.mediafire.com/?71gd6nv5y5cy7x5) [Download pcap](http://www.mediafire.com/?71gd6nv5y5cy7x5) **Malware system changes** **Sample analysis -by** **[Stopmalvertising](http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html)** C:\Windows\System32\drivers\com32.sys 9728 4399b8a60977814197feae67c02a7ac2 C:\Windows\System32\drivers\RCX50E3.tmp 26224256 9f32c51764f579512810b7ab3de1a91a C:\Windows\System32\drivers\com32.sys 26224256 dd313b92f60bb66d3d613bc49c1ef35e C:\Windows\System32\com32.dl 45056 25cfb72df8a30cbb7e6ee852bc31c50f C:\Windows\System32\RCX5B11.tmp 31506432 2f00e0927c07bc44d9b79ccbe567f398 C:\Windows\System32\del043.bat 86 1a1e7855edc0afa6624080d60da8bf44 **[You can download the full detailed sandbox report here](http://www.mediafire.com/view/?gtpsz1b7iot308h)** **Traffic** It is as active as a click fraud or DDoS bot but does not fit these categories. I am not quite sure what it is doing, please look and us know :) ----- Some of the traffic [process 8] 65.55.253.27 192.168.254.192 GET /c.gif?evt=br&rid=4571d83250544049bfc2ee88060f6bc8 &exa=&cts=1334748967640&expac=&fk=W&gp=P&optkey=de ----- fault&clid=23A3C63D37E16EEA2397C50633E16E45&cp=def ault&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT 3Wdefault&pid=6901517&su=http%3A%2F%2Fwww.msn.com% 2Fdefaultwpe3w.aspx&pageid=690151710&ce=1&hl=cplus &cm=head%3Ecb1 [process 8] 65.54.81.211 192.168.254.192 GET /i/87/DEC3F3D671E6CC76B09340612A38.jpg [process 8] 207.46.193.176 192.168.254.192 GET /action/MSN_Homepage_Remessaging_111808/nc?a=1 [process 8] 207.46.193.176 192.168.254.192 none [process 8] 208.44.23.25 192.168.254.192 none [process 8] 208.44.23.25 192.168.254.192 GET /b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F% 3Focid%3Diehp&c9=&rn=1334748958175 [process 8] 65.55.239.146 192.168.254.192 GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us& tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581 76&rf=&scr=1024x768 [process 8] 65.55.239.146 192.168.254.192 GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us& tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581 76&rf=&scr=1024x768&MUID=23A3C63D37E16EEA2397C5063 3E16E45&cb=1cd1d576b2f13a0 [process 8] 65.54.81.211 192.168.254.192 GET /i/5E/4B835E56AC3C8535DB16275B4BAF4.jpg [process 8] 65.54.80.242 192.168.254.192 GET /i/BB/756A1C963A72E4AFBC36501B512725.jpg [process 8] 65.54.81.211 192.168.254.192 GET /i/E2/F757C6DFF15796123FA81CF7DCCF.jpg [process 8] 65.55.239.146 192.168.254.192 GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us& tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri ----- d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581 76&rf=&scr=1024x768&RedC=c.msn.com&MXFR=23A3C63D37 E16EEA2397C50633E16E45 [process 8] 65.55.239.146 192.168.254.192 none [process 8] 23.66.231.58 192.168.254.192 GET /qsonhs.aspx?form=MSN005&q= [process 8] 23.66.231.58 192.168.254.192 none [process 8] 65.54.81.185 192.168.254.192 GET /CIS/77/000/000/000/028/440.swf?fd=www.msn.com [process 8] 65.54.81.185 192.168.254.192 GET /CIS/18/000/000/000/024/175.jpg **Automatic scans** [Virustotal](https://www.virustotal.com/file/a2c176ef3cc343194207e33acc19d5f8cb083a3c387a0404bd8f9d6bd29cfd6f/analysis/) SHA256: a2c176ef3cc343194207e33acc19d5f8cb083a3c387a0404bd8f9d6bd29cfd6f SHA1: c1af1fa6937097762824d0db039777ff35577727 MD5: 6c8f9658a390c24a9f4551dc15063927 File size: 75.5 KB ( 77312 bytes ) File name: DarkMegiSample File type: Win32 EXE Tags: yoda yodaprot Detection ratio: 34 / 42 Analysis date: 2012-04-17 08:22:42 UTC ( 1 day, 3 hours ago ) More details Antivirus Result Update AhnLab-V3 Dropper/Rootkit.77312 20120417 AntiVir HEUR/Crypted 20120417 Antiy-AVL Trojan/Win32.Agent.gen 20120417 Avast Win32:Malware-gen 20120417 AVG PSW.Agent.ASED 20120417 BitDefender Trojan.Generic.KDV.503006 20120417 ByteHero - 20120417 CAT-QuickHeal TrojanSpy.Agent.bwtk 20120417 ClamAV PUA.Packed.YodaProt 20120417 Commtouch W32/Heuristic-210!Eldorado 20120417 Comodo TrojWare.Win32.TrojanDownloader.Agent.accn 20120417 DrWeb Trojan.PWS.Gamania.34539 20120417 Emsisoft Trojan.SuspectCRC!IK 20120417 ----- eSafe Suspicious File 20120415 eTrust-Vet - 20120417 F-Prot W32/Heuristic-210!Eldorado 20120416 F-Secure Trojan.Generic.KDV.503006 20120417 Fortinet W32/Agent.BWTK!tr 20120417 GData Trojan.Generic.KDV.503006 20120417 Ikarus Trojan.SuspectCRC 20120417 Jiangmin TrojanSpy.Agent.uzc 20120417 K7AntiVirus Riskware 20120416 Kaspersky Trojan-Spy.Win32.Agent.bwtk 20120417 McAfee Artemis!6C8F9658A390 20120416 McAfee-GW-Edition - 20120417 Microsoft Trojan:Win32/Meredrop 20120417 NOD32 a variant of Win32/CsNowDown.C 20120417 Norman W32/Troj_Generic.ASBJ 20120416 nProtect Trojan/W32.Agent.77312.VC 20120417 Panda Generic Trojan 20120416 PCTools Downloader.Darkmegi 20120417 Sophos Mal/Packer 20120417 SUPERAntiSpyware - 20120402 Symantec Downloader.Darkmegi 20120417 TrendMicro Cryp_Yodap 20120417 TrendMicro-HouseCall Cryp_Yodap 20120417 VBA32 TrojanSpy.Agent.bwtk 20120416 VIPRE Trojan-Spy.Win32.Agent -----