Sample viewer

vx.netlux.org/Virus.DOS.GeldWash.1819

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T21:59:03.867604738Z	75	PC: 13ae8 \| Execute program
2018-12-17T21:59:03.870250427Z	53	PC: 13af7 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:59:03.872130172Z	37	PC: 13ba2 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:59:03.873550934Z	42	PC: 13ba8 \| Get date 0x13ba8: cmp dh, 6 0x13bab: jne 0x13bb5 0x13bad: cmp dl, 0xb 0x13bb0: jne 0x13bb5 0x13bb2: call 0x13f19 0x13bb5: mov ax, cs 0x13bb7: sub ax, word ptr [0x11e] 0x13bbb: mov word ptr [0x10c], ax 0x13bbe: mov ax, word ptr [0x126] 0x13bc1: mov word ptr [0x10a], ax 0x13bc4: mov ax, cs 0x13bc6: sub ax, word ptr [0x128] 0x13bca: add ax, word ptr [0x122] 0x13bce: mov word ptr [0x142], ax 0x13bd1: sti 0x13bd2: popf 0x13bd3: pop es 0x13bd4: pop ds 0x13bd5: pop di 0x13bd6: pop si
2018-12-17T21:59:03.876043236Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-17T21:59:03.889168548Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1003,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:22.684160808Z	75	PC: 13ae8 \| Execute program
2018-12-25T11:42:22.687350879Z	53	PC: 13af7 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:22.689212114Z	37	PC: 13ba2 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:22.690929992Z	42	PC: 13ba8 \| Get date 0x13ba8: cmp dh, 6 0x13bab: jne 0x13bb5 0x13bad: cmp dl, 0xb 0x13bb0: jne 0x13bb5 0x13bb2: call 0x13f19 0x13bb5: mov ax, cs 0x13bb7: sub ax, word ptr [0x11e] 0x13bbb: mov word ptr [0x10c], ax 0x13bbe: mov ax, word ptr [0x126] 0x13bc1: mov word ptr [0x10a], ax 0x13bc4: mov ax, cs 0x13bc6: sub ax, word ptr [0x128] 0x13bca: add ax, word ptr [0x122] 0x13bce: mov word ptr [0x142], ax 0x13bd1: sti 0x13bd2: popf 0x13bd3: pop es 0x13bd4: pop ds 0x13bd5: pop di 0x13bd6: pop si
2018-12-25T11:42:22.694899618Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-25T11:42:22.701591039Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1003,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:23.052479066Z	75	PC: 13ae8 \| Execute program
2018-12-25T11:42:23.060827305Z	53	PC: 13af7 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.062105724Z	37	PC: 13ba2 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.063204864Z	42	PC: 13ba8 \| Get date 0x13ba8: cmp dh, 6 0x13bab: jne 0x13bb5 0x13bad: cmp dl, 0xb 0x13bb0: jne 0x13bb5 0x13bb2: call 0x13f19 0x13bb5: mov ax, cs 0x13bb7: sub ax, word ptr [0x11e] 0x13bbb: mov word ptr [0x10c], ax 0x13bbe: mov ax, word ptr [0x126] 0x13bc1: mov word ptr [0x10a], ax 0x13bc4: mov ax, cs 0x13bc6: sub ax, word ptr [0x128] 0x13bca: add ax, word ptr [0x122] 0x13bce: mov word ptr [0x142], ax 0x13bd1: sti 0x13bd2: popf 0x13bd3: pop es 0x13bd4: pop ds 0x13bd5: pop di 0x13bd6: pop si
2018-12-25T11:42:23.065916458Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-25T11:42:23.071285819Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":11,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1003,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:23.23196453Z	75	PC: 13ae8 \| Execute program
2018-12-25T11:42:23.233644073Z	53	PC: 13af7 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.234753255Z	37	PC: 13ba2 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.235614202Z	42	PC: 13ba8 \| Get date 0x13ba8: cmp dh, 6 0x13bab: jne 0x13bb5 0x13bad: cmp dl, 0xb 0x13bb0: jne 0x13bb5 0x13bb2: call 0x13f19 0x13bb5: mov ax, cs 0x13bb7: sub ax, word ptr [0x11e] 0x13bbb: mov word ptr [0x10c], ax 0x13bbe: mov ax, word ptr [0x126] 0x13bc1: mov word ptr [0x10a], ax 0x13bc4: mov ax, cs 0x13bc6: sub ax, word ptr [0x128] 0x13bca: add ax, word ptr [0x122] 0x13bce: mov word ptr [0x142], ax 0x13bd1: sti 0x13bd2: popf 0x13bd3: pop es 0x13bd4: pop ds 0x13bd5: pop di 0x13bd6: pop si
2018-12-25T11:42:24.253194687Z	9	PC: 140c0 \| Display string (String= ' F�rs Vaterland ziehen sie ins Feld Wer den Feind mordet, ist ein Held Wie stolz sie auf die Orden sind ! Doch nur Dummk�pfe gehorchen blind ')
2018-12-25T11:42:34.819079295Z	9	PC: 140c0 \| Display string (See above)
2018-12-25T11:42:34.829557964Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-25T11:42:34.83436591Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')