Pages

Wednesday, April 18, 2012

DarkMegi rootkit - sample (distributed via Blackhole)

Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to
Stopmalvertising to read

This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share,  I will link to.



File information

Size: 77312
MD5:  6C8F9658A390C24A9F4551DC15063927



Download




Download  (email me if you need the password scheme)  
Download the modified / created files and analysis data
Download pcap


Malware system changes

Sample analysis -by Stopmalvertisin


C:\Windows\System32\drivers\com32.sys                9728           4399b8a60977814197feae67c02a7ac2
C:\Windows\System32\drivers\RCX50E3.tmp        26224256    9f32c51764f579512810b7ab3de1a91a
C:\Windows\System32\drivers\com32.sys              26224256     dd313b92f60bb66d3d613bc49c1ef35e
C:\Windows\System32\com32.dl                           45056            25cfb72df8a30cbb7e6ee852bc31c50f
C:\Windows\System32\RCX5B11.tmp                   31506432     2f00e0927c07bc44d9b79ccbe567f398
C:\Windows\System32\del043.bat                          86               1a1e7855edc0afa6624080d60da8bf44

Traffic
It is as active as a click fraud or DDoS bot but does not fit these categories.
I am not quite sure what it is doing, please look and us know :)


Some of the traffic


[process 8] 65.55.253.27 192.168.254.192 GET
/c.gif?evt=br&rid=4571d83250544049bfc2ee88060f6bc8
&exa=&cts=1334748967640&expac=&fk=W&gp=P&optkey=de
fault&clid=23A3C63D37E16EEA2397C50633E16E45&cp=def
ault&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT
3Wdefault&pid=6901517&su=http%3A%2F%2Fwww.msn.com%
2Fdefaultwpe3w.aspx&pageid=690151710&ce=1&hl=cplus
&cm=head%3Ecb1

[process 8] 65.54.81.211 192.168.254.192 GET
/i/87/DEC3F3D671E6CC76B09340612A38.jpg
[process 8] 207.46.193.176 192.168.254.192 GET

/action/MSN_Homepage_Remessaging_111808/nc?a=1
[process 8] 207.46.193.176 192.168.254.192 none

[process 8] 208.44.23.25 192.168.254.192 none

[process 8] 208.44.23.25 192.168.254.192 GET

/b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F%
3Focid%3Diehp&c9=&rn=1334748958175

[process 8] 65.55.239.146 192.168.254.192 GET
/c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&
tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri
d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581
76&rf=&scr=1024x768

[process 8] 65.55.239.146 192.168.254.192 GET
/c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&
tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri
d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581
76&rf=&scr=1024x768&MUID=23A3C63D37E16EEA2397C5063
3E16E45&cb=1cd1d576b2f13a0

[process 8] 65.54.81.211 192.168.254.192 GET
/i/5E/4B835E56AC3C8535DB16275B4BAF4.jpg

[process 8] 65.54.80.242 192.168.254.192 GET
/i/BB/756A1C963A72E4AFBC36501B512725.jpg

[process 8] 65.54.81.211 192.168.254.192 GET
/i/E2/F757C6DFF15796123FA81CF7DCCF.jpg

[process 8] 65.55.239.146 192.168.254.192 GET
/c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&
tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx&ri
d=4571d83250544049bfc2ee88060f6bc8&rnd=13347489581
76&rf=&scr=1024x768&RedC=c.msn.com&MXFR=23A3C63D37

E16EEA2397C50633E16E45
[process 8] 65.55.239.146 192.168.254.192 none

[process 8] 23.66.231.58 192.168.254.192 GET
/qsonhs.aspx?form=MSN005&q=

[process 8] 23.66.231.58 192.168.254.192 none

[process 8] 65.54.81.185 192.168.254.192 GET
/CIS/77/000/000/000/028/440.swf?fd=www.msn.com

[process 8] 65.54.81.185 192.168.254.192 GET
/CIS/18/000/000/000/024/175.jpg


Automatic scans

Virustotal
SHA256:     a2c176ef3cc343194207e33acc19d5f8cb083a3c387a0404bd8f9d6bd29cfd6f
SHA1:     c1af1fa6937097762824d0db039777ff35577727
MD5:     6c8f9658a390c24a9f4551dc15063927
File size:     75.5 KB ( 77312 bytes )
File name:     DarkMegiSample
File type:     Win32 EXE
Tags:     yoda yodaprot
Detection ratio:     34 / 42
Analysis date:     2012-04-17 08:22:42 UTC ( 1 day, 3 hours ago )
More details
Antivirus     Result     Update
AhnLab-V3     Dropper/Rootkit.77312     20120417
AntiVir     HEUR/Crypted     20120417
Antiy-AVL     Trojan/Win32.Agent.gen     20120417
Avast     Win32:Malware-gen     20120417
AVG     PSW.Agent.ASED     20120417
BitDefender     Trojan.Generic.KDV.503006     20120417
ByteHero     -     20120417
CAT-QuickHeal     TrojanSpy.Agent.bwtk     20120417
ClamAV     PUA.Packed.YodaProt     20120417
Commtouch     W32/Heuristic-210!Eldorado     20120417
Comodo     TrojWare.Win32.TrojanDownloader.Agent.accn     20120417
DrWeb     Trojan.PWS.Gamania.34539     20120417
Emsisoft     Trojan.SuspectCRC!IK     20120417
eSafe     Suspicious File     20120415
eTrust-Vet     -     20120417
F-Prot     W32/Heuristic-210!Eldorado     20120416
F-Secure     Trojan.Generic.KDV.503006     20120417
Fortinet     W32/Agent.BWTK!tr     20120417
GData     Trojan.Generic.KDV.503006     20120417
Ikarus     Trojan.SuspectCRC     20120417
Jiangmin     TrojanSpy.Agent.uzc     20120417
K7AntiVirus     Riskware     20120416
Kaspersky     Trojan-Spy.Win32.Agent.bwtk     20120417
McAfee     Artemis!6C8F9658A390     20120416
McAfee-GW-Edition     -     20120417
Microsoft     Trojan:Win32/Meredrop     20120417
NOD32     a variant of Win32/CsNowDown.C     20120417
Norman     W32/Troj_Generic.ASBJ     20120416
nProtect     Trojan/W32.Agent.77312.VC     20120417
Panda     Generic Trojan     20120416
PCTools     Downloader.Darkmegi     20120417
Sophos     Mal/Packer     20120417
SUPERAntiSpyware     -     20120402
Symantec     Downloader.Darkmegi     20120417
TrendMicro     Cryp_Yodap     20120417
TrendMicro-HouseCall     Cryp_Yodap     20120417
VBA32     TrojanSpy.Agent.bwtk     20120416
VIPRE     Trojan-Spy.Win32.Agent

2 comments:

  1. Sample Mila =) MD5:6c8f9658a390c24a9f4551dc15063927
    com32.sys
    https://www.virustotal.com/file/c6483c1d66f9301dd531a732d739c70616ae486d62a0068a6e812c7f244fe295/analysis/1334825301/
    MD5:5f8022f7fbe17cd815261bcb848b1d9e
    com32.dll
    https://www.virustotal.com/file/9b7fbdb740b772e4f87f5428a093dd31ff656163f8807a4cfc2bf418b93dce06/analysis/1334825338/
    MD5:6e2297863d3d10ae40bd1c0499545f10

    ReplyDelete
  2. A CreateFile on C:\Windows\System32\com32.dll return (0x00000002) The system cannot find the file specified.

    FindFirstFile seem to be working.

    But a GetFileAttributes return FILE_ATTRIBUTE_ARCHIVE

    It will not fool antirootkit that parse ntfs and compare with api.
    :)

    ReplyDelete