Sample viewer

vx.netlux.org/Virus.DOS.GeldWash.1819

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T21:59:03.867604738Z 75 PC: 13ae8 | Execute program
2018-12-17T21:59:03.870250427Z 53 PC: 13af7 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:59:03.872130172Z 37 PC: 13ba2 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:59:03.873550934Z 42 PC: 13ba8 | Get date 0x13ba8: cmp dh, 6
0x13bab: jne 0x13bb5
0x13bad: cmp dl, 0xb
0x13bb0: jne 0x13bb5
0x13bb2: call 0x13f19
0x13bb5: mov ax, cs
0x13bb7: sub ax, word ptr [0x11e]
0x13bbb: mov word ptr [0x10c], ax
0x13bbe: mov ax, word ptr [0x126]
0x13bc1: mov word ptr [0x10a], ax
0x13bc4: mov ax, cs
0x13bc6: sub ax, word ptr [0x128]
0x13bca: add ax, word ptr [0x122]
0x13bce: mov word ptr [0x142], ax
0x13bd1: sti
0x13bd2: popf
0x13bd3: pop es
0x13bd4: pop ds
0x13bd5: pop di
0x13bd6: pop si
2018-12-17T21:59:03.876043236Z 9 PC: 12a82 | Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-17T21:59:03.889168548Z 76 PC: 12a86 | Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1003,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:42:22.684160808Z 75 PC: 13ae8 | Execute program
2018-12-25T11:42:22.687350879Z 53 PC: 13af7 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:22.689212114Z 37 PC: 13ba2 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:22.690929992Z 42 PC: 13ba8 | Get date 0x13ba8: cmp dh, 6
0x13bab: jne 0x13bb5
0x13bad: cmp dl, 0xb
0x13bb0: jne 0x13bb5
0x13bb2: call 0x13f19
0x13bb5: mov ax, cs
0x13bb7: sub ax, word ptr [0x11e]
0x13bbb: mov word ptr [0x10c], ax
0x13bbe: mov ax, word ptr [0x126]
0x13bc1: mov word ptr [0x10a], ax
0x13bc4: mov ax, cs
0x13bc6: sub ax, word ptr [0x128]
0x13bca: add ax, word ptr [0x122]
0x13bce: mov word ptr [0x142], ax
0x13bd1: sti
0x13bd2: popf
0x13bd3: pop es
0x13bd4: pop ds
0x13bd5: pop di
0x13bd6: pop si
2018-12-25T11:42:22.694899618Z 9 PC: 12a82 | Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-25T11:42:22.701591039Z 76 PC: 12a86 | Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1003,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:42:23.052479066Z 75 PC: 13ae8 | Execute program
2018-12-25T11:42:23.060827305Z 53 PC: 13af7 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.062105724Z 37 PC: 13ba2 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.063204864Z 42 PC: 13ba8 | Get date 0x13ba8: cmp dh, 6
0x13bab: jne 0x13bb5
0x13bad: cmp dl, 0xb
0x13bb0: jne 0x13bb5
0x13bb2: call 0x13f19
0x13bb5: mov ax, cs
0x13bb7: sub ax, word ptr [0x11e]
0x13bbb: mov word ptr [0x10c], ax
0x13bbe: mov ax, word ptr [0x126]
0x13bc1: mov word ptr [0x10a], ax
0x13bc4: mov ax, cs
0x13bc6: sub ax, word ptr [0x128]
0x13bca: add ax, word ptr [0x122]
0x13bce: mov word ptr [0x142], ax
0x13bd1: sti
0x13bd2: popf
0x13bd3: pop es
0x13bd4: pop ds
0x13bd5: pop di
0x13bd6: pop si
2018-12-25T11:42:23.065916458Z 9 PC: 12a82 | Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-25T11:42:23.071285819Z 76 PC: 12a86 | Terminate with return code (Return code = '36')

{"DateBased":true,"Day":11,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1003,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:42:23.23196453Z 75 PC: 13ae8 | Execute program
2018-12-25T11:42:23.233644073Z 53 PC: 13af7 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.234753255Z 37 PC: 13ba2 | Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:42:23.235614202Z 42 PC: 13ba8 | Get date 0x13ba8: cmp dh, 6
0x13bab: jne 0x13bb5
0x13bad: cmp dl, 0xb
0x13bb0: jne 0x13bb5
0x13bb2: call 0x13f19
0x13bb5: mov ax, cs
0x13bb7: sub ax, word ptr [0x11e]
0x13bbb: mov word ptr [0x10c], ax
0x13bbe: mov ax, word ptr [0x126]
0x13bc1: mov word ptr [0x10a], ax
0x13bc4: mov ax, cs
0x13bc6: sub ax, word ptr [0x128]
0x13bca: add ax, word ptr [0x122]
0x13bce: mov word ptr [0x142], ax
0x13bd1: sti
0x13bd2: popf
0x13bd3: pop es
0x13bd4: pop ds
0x13bd5: pop di
0x13bd6: pop si
2018-12-25T11:42:24.253194687Z 9 PC: 140c0 | Display string (String= ' Frs Vaterland ziehen sie ins Feld Wer den Feind mordet, ist ein Held Wie stolz sie auf die Orden sind ! Doch nur Dummk”pfe gehorchen blind ')
2018-12-25T11:42:34.819079295Z 9 PC: 140c0 | Display string (See above)
2018-12-25T11:42:34.829557964Z 9 PC: 12a82 | Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-25T11:42:34.83436591Z 76 PC: 12a86 | Terminate with return code (Return code = '36')