Sample viewer

vx.netlux.org/Trojan.DOS.April1

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:52:02.937998851Z	42	PC: 13e8e \| Get date 0x13e8e: cmp dh, 4 0x13e91: jb 0x13ee0 0x13e93: cmp dl, 1 0x13e96: jb 0x13ee0 0x13e98: mov ah, 8 0x13e9a: mov dl, 0x80 0x13e9c: int 0x13 0x13e9e: mov byte ptr [si + 0x67], dh 0x13ea1: nop 0x13ea2: and byte ptr [si + 0x67], 0x3f 0x13ea6: nop 0x13ea7: mov byte ptr [si + 0x68], cl 0x13eaa: nop 0x13eab: and byte ptr [si + 0x68], 0x3f 0x13eaf: nop 0x13eb0: mov ch, 0xff 0x13eb2: mov ax, 0xe21 0x13eb5: int 0x10 0x13eb7: inc ch 0x13eb9: mov dh, 0

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10752,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:29:06.239466695Z	42	PC: 13e8e \| Get date 0x13e8e: cmp dh, 4 0x13e91: jb 0x13ee0 0x13e93: cmp dl, 1 0x13e96: jb 0x13ee0 0x13e98: mov ah, 8 0x13e9a: mov dl, 0x80 0x13e9c: int 0x13 0x13e9e: mov byte ptr [si + 0x67], dh 0x13ea1: nop 0x13ea2: and byte ptr [si + 0x67], 0x3f 0x13ea6: nop 0x13ea7: mov byte ptr [si + 0x68], cl 0x13eaa: nop 0x13eab: and byte ptr [si + 0x68], 0x3f 0x13eaf: nop 0x13eb0: mov ch, 0xff 0x13eb2: mov ax, 0xe21 0x13eb5: int 0x10 0x13eb7: inc ch 0x13eb9: mov dh, 0
2018-12-25T12:29:06.24278072Z	81	PC: 1341b \| Get current PSP
2018-12-25T12:29:06.243797847Z	61	PC: 13474 \| Open file (Filename = 'A:\TEST.COM')
2018-12-25T12:29:06.250207122Z	66	PC: 134cf \| Move file pointer
2018-12-25T12:29:06.252011464Z	63	PC: 134e7 \| Read file or device (Read 7 bytes on handle 5)
2018-12-25T12:29:06.254778128Z	66	PC: 1350c \| Move file pointer
2018-12-25T12:29:06.255982769Z	63	PC: 13518 \| Read file or device (Read 26 bytes on handle 5)
2018-12-25T12:29:06.259010415Z	62	PC: 1348a \| Close file
2018-12-25T12:29:06.260916959Z	48	PC: 12b67 \| Get DOS version
2018-12-25T12:29:06.262149759Z	101	PC: 12b88 \| Get extended country info
2018-12-25T12:29:06.266212556Z	2	PC: 12d4c \| Character output (Char = '5b')
2018-12-25T12:29:06.268499989Z	2	PC: 12d52 \| Character output (Char = '20')
2018-12-25T12:29:06.271008331Z	2	PC: 12d5e \| Character output (Char = '2c')
2018-12-25T12:29:06.275135468Z	2	PC: 12d52 \| Character output (See above)
2018-12-25T12:29:06.276807214Z	2	PC: 12d66 \| Character output (Char = '5d')
2018-12-25T12:29:06.278201599Z	2	PC: 12d6c \| Character output (Char = '3f')
2018-12-25T12:29:06.280044171Z	8	PC: 12da4 \| Console input without echo

{"DateBased":true,"Day":1,"Month":4,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":10752,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:29:06.513553442Z	42	PC: 13e8e \| Get date 0x13e8e: cmp dh, 4 0x13e91: jb 0x13ee0 0x13e93: cmp dl, 1 0x13e96: jb 0x13ee0 0x13e98: mov ah, 8 0x13e9a: mov dl, 0x80 0x13e9c: int 0x13 0x13e9e: mov byte ptr [si + 0x67], dh 0x13ea1: nop 0x13ea2: and byte ptr [si + 0x67], 0x3f 0x13ea6: nop 0x13ea7: mov byte ptr [si + 0x68], cl 0x13eaa: nop 0x13eab: and byte ptr [si + 0x68], 0x3f 0x13eaf: nop 0x13eb0: mov ch, 0xff 0x13eb2: mov ax, 0xe21 0x13eb5: int 0x10 0x13eb7: inc ch 0x13eb9: mov dh, 0