Sample viewer

vx.netlux.org/Virus.DOS.Shadowbyte.723

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:55:02.931423484Z	42	PC: 1383a \| Get date 0x1383a: sub dh, 7 0x1383d: jne 0x13842 0x1383f: jmp 0x139f7 0x13842: mov dx, bp 0x13844: add dx, 0x278 0x13848: mov si, dx 0x1384a: mov dx, word ptr [si + 3] 0x1384d: mov word ptr [si], dx 0x1384f: mov dh, byte ptr [si + 5] 0x13852: mov byte ptr [si + 2], dh 0x13855: mov ah, 0x47 0x13857: mov dl, 0 0x13859: mov cx, bp 0x1385b: mov si, cx 0x1385d: add si, 0x2b0 0x13861: int 0x21 0x13863: mov cx, 0x3f 0x13866: mov bx, 0 0x13869: mov si, 0x80 0x1386c: mov ax, bp
2018-12-17T22:55:02.933856646Z	71	PC: 13863 \| Get current directory
2018-12-17T22:55:02.93659185Z	59	PC: 13885 \| Change current directory
2018-12-17T22:55:02.940411731Z	78	PC: 13986 \| Find first file
2018-12-17T22:55:02.951920324Z	61	PC: 138c1 \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:55:02.958576256Z	66	PC: 13981 \| Move file pointer
2018-12-17T22:55:02.960221007Z	66	PC: 138d7 \| Move file pointer
2018-12-17T22:55:02.962577513Z	63	PC: 138e4 \| Read file or device (Read 5 bytes on handle 5)
2018-12-17T22:55:02.9689029Z	66	PC: 13981 \| Move file pointer
2018-12-17T22:55:02.970197618Z	66	PC: 13981 \| Move file pointer
2018-12-17T22:55:02.972279935Z	66	PC: 13981 \| Move file pointer
2018-12-17T22:55:02.973506225Z	63	PC: 13933 \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:55:02.977267132Z	66	PC: 13981 \| Move file pointer
2018-12-17T22:55:02.978850403Z	64	PC: 13941 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:55:02.988804893Z	66	PC: 1394f \| Move file pointer
2018-12-17T22:55:02.990524677Z	64	PC: 1395b \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:55:02.992997685Z	64	PC: 13967 \| Write file or device (Write 720 bytes on handle 5)
2018-12-17T22:55:03.01259131Z	87	PC: 13972 \| Get or set file date and time
2018-12-17T22:55:03.01415165Z	62	PC: 13976 \| Close file
2018-12-17T22:55:03.021839555Z	59	PC: 13a70 \| Change current directory
2018-12-17T22:55:03.026316187Z	48	PC: 1369b \| Get DOS version
2018-12-17T22:55:03.027472162Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11761,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:31:18.646935754Z	42	PC: 1383a \| Get date 0x1383a: sub dh, 7 0x1383d: jne 0x13842 0x1383f: jmp 0x139f7 0x13842: mov dx, bp 0x13844: add dx, 0x278 0x13848: mov si, dx 0x1384a: mov dx, word ptr [si + 3] 0x1384d: mov word ptr [si], dx 0x1384f: mov dh, byte ptr [si + 5] 0x13852: mov byte ptr [si + 2], dh 0x13855: mov ah, 0x47 0x13857: mov dl, 0 0x13859: mov cx, bp 0x1385b: mov si, cx 0x1385d: add si, 0x2b0 0x13861: int 0x21 0x13863: mov cx, 0x3f 0x13866: mov bx, 0 0x13869: mov si, 0x80 0x1386c: mov ax, bp
2018-12-25T12:31:18.649857441Z	71	PC: 13863 \| Get current directory
2018-12-25T12:31:18.653727922Z	59	PC: 13885 \| Change current directory
2018-12-25T12:31:18.657982948Z	78	PC: 13986 \| Find first file
2018-12-25T12:31:18.664819296Z	61	PC: 138c1 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:31:18.67209885Z	66	PC: 13981 \| Move file pointer
2018-12-25T12:31:18.67359669Z	66	PC: 138d7 \| Move file pointer
2018-12-25T12:31:18.675875323Z	63	PC: 138e4 \| Read file or device (Read 5 bytes on handle 5)
2018-12-25T12:31:18.683036664Z	66	PC: 13981 \| Move file pointer (See above)
2018-12-25T12:31:18.684574492Z	66	PC: 13981 \| Move file pointer (See above)
2018-12-25T12:31:18.686134348Z	66	PC: 13981 \| Move file pointer (See above)
2018-12-25T12:31:18.687964122Z	63	PC: 13933 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:31:18.691147198Z	66	PC: 13981 \| Move file pointer (See above)
2018-12-25T12:31:18.692636806Z	64	PC: 13941 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:31:18.695839733Z	66	PC: 1394f \| Move file pointer
2018-12-25T12:31:18.697588823Z	64	PC: 1395b \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:31:18.700811743Z	64	PC: 13967 \| Write file or device (Write 720 bytes on handle 5)
2018-12-25T12:31:18.717131725Z	87	PC: 13972 \| Get or set file date and time
2018-12-25T12:31:18.718834666Z	62	PC: 13976 \| Close file
2018-12-25T12:31:18.728315742Z	59	PC: 13a70 \| Change current directory
2018-12-25T12:31:18.733693532Z	48	PC: 1369b \| Get DOS version
2018-12-25T12:31:18.734908885Z	9	PC: 136a7 \| Display string (String= ' Incorrect DOS version ')

{"DateBased":true,"Day":1,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":11761,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:31:18.919680065Z	42	PC: 1383a \| Get date 0x1383a: sub dh, 7 0x1383d: jne 0x13842 0x1383f: jmp 0x139f7 0x13842: mov dx, bp 0x13844: add dx, 0x278 0x13848: mov si, dx 0x1384a: mov dx, word ptr [si + 3] 0x1384d: mov word ptr [si], dx 0x1384f: mov dh, byte ptr [si + 5] 0x13852: mov byte ptr [si + 2], dh 0x13855: mov ah, 0x47 0x13857: mov dl, 0 0x13859: mov cx, bp 0x1385b: mov si, cx 0x1385d: add si, 0x2b0 0x13861: int 0x21 0x13863: mov cx, 0x3f 0x13866: mov bx, 0 0x13869: mov si, 0x80 0x1386c: mov ax, bp
2018-12-25T12:31:18.922205646Z	53	PC: 139fd \| Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-25T12:31:18.923689734Z	37	PC: 13a09 \| Set interrupt vector (Interrupt = '9' AKA 'Display string')