Wednesday, April 18, 2012

DarkMegi rootkit - sample (distributed via Blackhole)

Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to
Stopmalvertising to read

This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share,  I will link to.

File information

Size: 77312
MD5:  6C8F9658A390C24A9F4551DC15063927


Download  (email me if you need the password scheme)  
Download the modified / created files and analysis data
Download pcap

Malware system changes

Sample analysis -by Stopmalvertisin

C:\Windows\System32\drivers\com32.sys                9728           4399b8a60977814197feae67c02a7ac2
C:\Windows\System32\drivers\RCX50E3.tmp        26224256    9f32c51764f579512810b7ab3de1a91a
C:\Windows\System32\drivers\com32.sys              26224256     dd313b92f60bb66d3d613bc49c1ef35e
C:\Windows\System32\com32.dl                           45056            25cfb72df8a30cbb7e6ee852bc31c50f
C:\Windows\System32\RCX5B11.tmp                   31506432     2f00e0927c07bc44d9b79ccbe567f398
C:\Windows\System32\del043.bat                          86               1a1e7855edc0afa6624080d60da8bf44

It is as active as a click fraud or DDoS bot but does not fit these categories.
I am not quite sure what it is doing, please look and us know :)

Some of the traffic

[process 8] GET

[process 8] GET
[process 8] GET

[process 8] none

[process 8] none

[process 8] GET


[process 8] GET

[process 8] GET

[process 8] GET

[process 8] GET

[process 8] GET

[process 8] GET

[process 8] none

[process 8] GET

[process 8] none

[process 8] GET

[process 8] GET

Automatic scans

SHA256:     a2c176ef3cc343194207e33acc19d5f8cb083a3c387a0404bd8f9d6bd29cfd6f
SHA1:     c1af1fa6937097762824d0db039777ff35577727
MD5:     6c8f9658a390c24a9f4551dc15063927
File size:     75.5 KB ( 77312 bytes )
File name:     DarkMegiSample
File type:     Win32 EXE
Tags:     yoda yodaprot
Detection ratio:     34 / 42
Analysis date:     2012-04-17 08:22:42 UTC ( 1 day, 3 hours ago )
More details
Antivirus     Result     Update
AhnLab-V3     Dropper/Rootkit.77312     20120417
AntiVir     HEUR/Crypted     20120417
Antiy-AVL     Trojan/Win32.Agent.gen     20120417
Avast     Win32:Malware-gen     20120417
AVG     PSW.Agent.ASED     20120417
BitDefender     Trojan.Generic.KDV.503006     20120417
ByteHero     -     20120417
CAT-QuickHeal     TrojanSpy.Agent.bwtk     20120417
ClamAV     PUA.Packed.YodaProt     20120417
Commtouch     W32/Heuristic-210!Eldorado     20120417
Comodo     TrojWare.Win32.TrojanDownloader.Agent.accn     20120417
DrWeb     Trojan.PWS.Gamania.34539     20120417
Emsisoft     Trojan.SuspectCRC!IK     20120417
eSafe     Suspicious File     20120415
eTrust-Vet     -     20120417
F-Prot     W32/Heuristic-210!Eldorado     20120416
F-Secure     Trojan.Generic.KDV.503006     20120417
Fortinet     W32/Agent.BWTK!tr     20120417
GData     Trojan.Generic.KDV.503006     20120417
Ikarus     Trojan.SuspectCRC     20120417
Jiangmin     TrojanSpy.Agent.uzc     20120417
K7AntiVirus     Riskware     20120416
Kaspersky     Trojan-Spy.Win32.Agent.bwtk     20120417
McAfee     Artemis!6C8F9658A390     20120416
McAfee-GW-Edition     -     20120417
Microsoft     Trojan:Win32/Meredrop     20120417
NOD32     a variant of Win32/CsNowDown.C     20120417
Norman     W32/Troj_Generic.ASBJ     20120416
nProtect     Trojan/W32.Agent.77312.VC     20120417
Panda     Generic Trojan     20120416
PCTools     Downloader.Darkmegi     20120417
Sophos     Mal/Packer     20120417
SUPERAntiSpyware     -     20120402
Symantec     Downloader.Darkmegi     20120417
TrendMicro     Cryp_Yodap     20120417
TrendMicro-HouseCall     Cryp_Yodap     20120417
VBA32     TrojanSpy.Agent.bwtk     20120416
VIPRE     Trojan-Spy.Win32.Agent


  1. Sample Mila =) MD5:6c8f9658a390c24a9f4551dc15063927

  2. A CreateFile on C:\Windows\System32\com32.dll return (0x00000002) The system cannot find the file specified.

    FindFirstFile seem to be working.

    But a GetFileAttributes return FILE_ATTRIBUTE_ARCHIVE

    It will not fool antirootkit that parse ntfs and compare with api.