{
	"id": "c670fb54-a9ec-438e-ba8e-d2f156adb1ad",
	"created_at": "2026-04-06T00:22:10.416055Z",
	"updated_at": "2026-04-10T03:21:42.003578Z",
	"deleted_at": null,
	"sha1_hash": "cbe071f9312ea01a59bda9717e6b5d45689fd5cb",
	"title": "Analysis of DarkMegi aka NpcDark",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1716380,
	"plain_text": "Analysis of DarkMegi aka NpcDark\r\nBy Kimberly\r\nArchived: 2026-04-05 16:40:21 UTC\r\nI’ve always been interested in rootkits and their removal. So it was no surprise that after reading the article about\r\nDarkMegi I tried to find the rootkit dropper. Two security colleagues were kind enough to forward me a few\r\nsamples.\r\nAccording to the analysis performed by McAfee Labs, DarkMegi was the first known threat delivered through the\r\nCVE-2012-0003 - MIDI Remote Code Execution Vulnerability. DarkMegi has also been distributed via the Gong\r\nDa Pack exploit kit and more recently via the Blackhole Exploit kit.\r\nDarkMegi is complex and difficult to analyze; it involves more than just dropping a usermode component (\r\ncom32.dll) and a kernel driver (com32.sys) on the victim’s computer.\r\nUpon execution DarkMegiSample.exe, as we will name the file in the analysis, starts up an instance of\r\nipconfig.exe.\r\n[EXECUTION] \"c:\\windows\\system32\\ipconfig.exe\" was allowed to run\r\n[EXECUTION] Started by \"c:\\documents and settings\\kly\\desktop\\darkmegisample.exe\" [1160]\r\n[EXECUTION] Commandline - [ ipconfig.exe ]\r\nDarkMegiSample.exe then installs a service called Com32 and drops the kernel driver com32.sys into the Drivers\r\ndirectory. At this stage, 9728 bytes have been written to the file.\r\n[DRIVER/SERVICE] c:\\documents and settings\\kly\\desktop\\darkmegisample.exe [1160] Tried to install a\r\ndriver/service named Com32\r\nDarkMegiSample.exe then creates a file called RCX1.tmp in the Drivers folder, copies the current content of\r\ncom32.sys to the file and appends a huge pile of junk data to RCX1.tmp so that the size of the file is 25.0 MB\r\n(26,224,256 bytes).\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 1 of 7\n\nThe file com32.sys is deleted and RCX1.tmp is renamed as com32.sys.\r\nThe kernel driver com32.sys contains a couple of interesting strings:\r\n0x00001757: 'H:\\RKTDOW~1\\RKTDRI~1\\RKTDRI~1\\objfre\\i386\\RktDriver.pdb'\r\n0x019021C4: 'The driver for the supercool driver-based tool'\r\n0x01902328: 'Supercool driver-based tool'\r\n0x0000062E: 'DosDevices\\NpcDark'\r\n0x0000060E: 'Device\\NpcDark'\r\n0x01902274: 'RktDriver.sys'\r\nDarkMegiSample.exe then drops the usermode component com32.dll, the file size is 45,056 bytes upon creation.\r\nSimilar to the driver, the dll will get a huge amount of junk data appended so that the final file size becomes 30.0\r\nMB (31,506,432 bytes). The file com32.dll is deleted and RCX2.tmp is renamed as com32.dll.\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 2 of 7\n\nDarkMegiSample.exe launches an instance of rundll32.exe to load the freshly created usermode component\r\ncom32.dll.\r\n[EXECUTION] \"c:\\windows\\system32\\rundll32.exe\" was blocked from running\r\n[EXECUTION] Started by \"c:\\documents and settings\\kly\\desktop\\darkmegisample.exe\" [1160]\r\n[EXECUTION] Commandline - [ c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\com32.dll getinterface\r\n]\r\nDarkMegiSample.exe launches several hidden instances of Internet Explorer. The usermode component com32.dll\r\nis loaded under Internet Explorer too now.\r\n[EXECUTION] \"c:\\program files\\internet explorer\\iexplore.exe\" was allowed to run\r\n[EXECUTION] Started by \"c:\\documents and settings\\kly\\desktop\\darkmegisample.exe\" [1160]\r\n[EXECUTION] Commandline - [ \"c:\\program files\\internet explorer\\iexplore.exe\" ]\r\n[EXECUTION] \"c:\\program files\\internet explorer\\iexplore.exe\" was allowed to run\r\n[EXECUTION] Started by \"c:\\documents and settings\\kly\\desktop\\darkmegisample.exe\" [1844]\r\n[EXECUTION] Commandline - [ \"c:\\program files\\internet explorer\\iexplore.exe\" ]\r\nThe usermode component com32.dll contains a list of hardcoded DNS Servers and is most likely able to download\r\nan updated version of the rootkit. Again we find a reference to NpcDark ... would the author be a fan of WOW\r\n(World of Warcraft)?\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 3 of 7\n\n8.8.8.8 - google-public-dns-a.google.com\r\n208.67.222.222 - resolver1.opendns.com\r\n165.87.201.244 - ns4.us.prserv.net\r\n209.166.160.36 - orion.dns.cc.stargate.net\r\n168.95.192.1 - hntp1.hinet.net\r\nInternet access is requested to download two files and contact what seems to be a stats page.\r\n20111230.exe is renamed as fuc6.tmp.exe\r\n20111230.jpg is renamed as fuc5.tmp\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 4 of 7\n\n[EXECUTION] \"c:\\program files\\internet explorer\\iexplore.exe\" was allowed to run\r\n[EXECUTION] Started by \"c:\\windows\\system32\\rundll32.exe\" [1968]\r\n[EXECUTION] Commandline - [ \"c:\\program files\\internet explorer\\iexplore.exe\"\r\nhttp://images.hananren.com/newd.htm ]\r\nThe domain images.hananren.com has been registered the 1st of July 2011 and as seen below the registrant details\r\nare totaly faked.\r\nimages.hananren.com - 70.39.69.236\r\nUpdated Date: 01-jul-2011\r\nCreation Date: 01-jul-2011\r\nName Server: NS77.DOMAINCONTROL.COM\r\nName Server: NS78.DOMAINCONTROL.COM\r\nRegistrar: GODADDY.COM, LLC\r\nRegistrant: y3z1007 y3z1007\r\n  y3z1007@gmail.com\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 5 of 7\n\nsdfsfsdfsdfsdf\r\n  benjing, beijing 101100\r\n  China\r\n  1-380-013-8000\r\nDarkMegiSample.exe will now exit and delete itself. The file fuc6.tmp.exe is launched by rundll32.exe and will\r\nalso delete itself after execution.\r\n[EXECUTION] \"c:\\windows\\system32\\cmd.exe\" was allowed to run\r\n[EXECUTION] Started by \"Unknown Process\" [2212]\r\n[EXECUTION] Commandline - [ c:\\windows\\system32\\cmd.exe /c del\r\n\"c:\\docume~1\\kly\\locals~1\\temp\\fuc6.tmp.exe\" ]\r\nIt's hard to tell what the purpose of fuc6.tmp.exe is via Process Monitor but we notice that a randomly named file,\r\nVT2XT4d.tmp in our analysis, has been marked for deletion upon reboot.\r\nBoth cmd.exe and Internet Explorer will load another dll dropped by the rootkit: bdcapEx32.dll.\r\nAfter examining the strings in VT2XT4d.tmp I found out that this was actually a copy of imm32.dll. The file\r\nimm32.dll had been patched to load ... bdcapEx32.dll.\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 6 of 7\n\nThe file imm32.dll is loaded by a huge number of processes on the system.\r\nSource: http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nhttp://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html"
	],
	"report_names": [
		"analysis-of-darkmegi-aka-npcdark.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434930,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbe071f9312ea01a59bda9717e6b5d45689fd5cb.pdf",
		"text": "https://archive.orkl.eu/cbe071f9312ea01a59bda9717e6b5d45689fd5cb.txt",
		"img": "https://archive.orkl.eu/cbe071f9312ea01a59bda9717e6b5d45689fd5cb.jpg"
	}
}