Sample viewer

vx.netlux.org/Virus.DOS.Knight.1136

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:56:58.874107195Z	53	PC: 12bce \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:56:58.87635423Z	37	PC: 12be0 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:56:58.877346125Z	44	PC: 12c36 \| Get time 0x12c36: push dx 0x12c37: jmp 0x12c94 0x12c3a: mov ah, 0x2c 0x12c3c: int 0x21 0x12c3e: pop cx 0x12c3f: cmp ch, dh 0x12c41: jne 0x12c46 0x12c43: jmp 0x12ca3 0x12c46: cmp cl, dl 0x12c48: jb 0x12c61 0x12c4a: cmp ch, 0x3b 0x12c4d: jne 0x12c57 0x12c4f: cmp dh, 0 0x12c52: ja 0x12c61 0x12c54: jmp 0x12ca3 0x12c57: sub dh, ch 0x12c59: cmp dh, 1 0x12c5c: ja 0x12c61 0x12c5e: jmp 0x12ca3 0x12c61: mov ah, 2
2018-12-17T22:56:58.878912625Z	44	PC: 12c3e \| Get time 0x12c3e: pop cx 0x12c3f: cmp ch, dh 0x12c41: jne 0x12c46 0x12c43: jmp 0x12ca3 0x12c46: cmp cl, dl 0x12c48: jb 0x12c61 0x12c4a: cmp ch, 0x3b 0x12c4d: jne 0x12c57 0x12c4f: cmp dh, 0 0x12c52: ja 0x12c61 0x12c54: jmp 0x12ca3 0x12c57: sub dh, ch 0x12c59: cmp dh, 1 0x12c5c: ja 0x12c61 0x12c5e: jmp 0x12ca3 0x12c61: mov ah, 2 0x12c63: mov di, 0x34d 0x12c66: mov dl, byte ptr [di] 0x12c68: sub dl, 0x10 0x12c6b: inc di
2018-12-17T22:56:58.880478265Z	37	PC: 12b16 \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-17T22:56:58.882000419Z	37	PC: 12b28 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:56:58.882927717Z	48	PC: 12cc1 \| Get DOS version
2018-12-17T22:56:58.884156475Z	42	PC: 12d41 \| Get date 0x12d41: cmp dx, 0x106 0x12d45: je 0x12d4a 0x12d47: jmp 0x12d6e 0x12d4a: mov cx, 0x19 0x12d4d: mov di, 0x3c8 0x12d50: mov ah, byte ptr [di] 0x12d52: cmp ah, 1 0x12d55: jne 0x12d5a 0x12d57: jmp 0x12d63 0x12d5a: mov ah, byte ptr [di] 0x12d5c: ror ah, 1 0x12d5e: mov byte ptr [di], ah 0x12d60: inc di 0x12d61: loop 0x12d5a 0x12d63: mov dx, 0x3c9 0x12d66: mov ah, 9 0x12d68: int 0x21 0x12d6a: jmp 0x12d6e 0x12d6d: add byte ptr [bx + 0x3bc], bh 0x12d71: mov ah, byte ptr [di]
2018-12-17T22:56:58.886143818Z	78	PC: 12dbe \| Find first file
2018-12-17T22:56:58.890582202Z	61	PC: 13996 \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:56:58.894695238Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.058483107Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.068300652Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.072072114Z	61	PC: 13996 \| Open file (Filename = 'PRINT.COM')
2018-12-17T22:56:59.080356652Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.089568316Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.09973929Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.103750617Z	61	PC: 13996 \| Open file (Filename = 'HELLO.COM')
2018-12-17T22:56:59.111892002Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.122026165Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.132240208Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.137001857Z	61	PC: 13996 \| Open file (Filename = 'PHANG.COM')
2018-12-17T22:56:59.145292642Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.155661359Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.16613175Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.169923638Z	61	PC: 13996 \| Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:56:59.178679934Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.190035841Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.199734101Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.203558448Z	61	PC: 13996 \| Open file (Filename = 'MANDEL.COM')
2018-12-17T22:56:59.212215734Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.222552042Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.232822742Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.236314838Z	61	PC: 13996 \| Open file (Filename = 'PAH.COM')
2018-12-17T22:56:59.244148555Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.253899401Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.263454097Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.266942461Z	61	PC: 13996 \| Open file (Filename = 'TEST.COM')
2018-12-17T22:56:59.274287622Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-17T22:56:59.283101083Z	62	PC: 139aa \| Close file
2018-12-17T22:56:59.293373684Z	79	PC: 12e22 \| Find next file
2018-12-17T22:56:59.296309003Z	9	PC: 12e2b \| Display string (String= '-KNIGHT- ')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12403,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:32:52.879047929Z	53	PC: 12bce \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:32:52.88086188Z	37	PC: 12be0 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:32:52.886440755Z	44	PC: 12c36 \| Get time 0x12c36: push dx 0x12c37: jmp 0x12c94 0x12c3a: mov ah, 0x2c 0x12c3c: int 0x21 0x12c3e: pop cx 0x12c3f: cmp ch, dh 0x12c41: jne 0x12c46 0x12c43: jmp 0x12ca3 0x12c46: cmp cl, dl 0x12c48: jb 0x12c61 0x12c4a: cmp ch, 0x3b 0x12c4d: jne 0x12c57 0x12c4f: cmp dh, 0 0x12c52: ja 0x12c61 0x12c54: jmp 0x12ca3 0x12c57: sub dh, ch 0x12c59: cmp dh, 1 0x12c5c: ja 0x12c61 0x12c5e: jmp 0x12ca3 0x12c61: mov ah, 2
2018-12-25T12:32:52.888911149Z	44	PC: 12c3e \| Get time 0x12c3e: pop cx 0x12c3f: cmp ch, dh 0x12c41: jne 0x12c46 0x12c43: jmp 0x12ca3 0x12c46: cmp cl, dl 0x12c48: jb 0x12c61 0x12c4a: cmp ch, 0x3b 0x12c4d: jne 0x12c57 0x12c4f: cmp dh, 0 0x12c52: ja 0x12c61 0x12c54: jmp 0x12ca3 0x12c57: sub dh, ch 0x12c59: cmp dh, 1 0x12c5c: ja 0x12c61 0x12c5e: jmp 0x12ca3 0x12c61: mov ah, 2 0x12c63: mov di, 0x34d 0x12c66: mov dl, byte ptr [di] 0x12c68: sub dl, 0x10 0x12c6b: inc di
2018-12-25T12:32:52.891498765Z	37	PC: 12b16 \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T12:32:52.893464766Z	37	PC: 12b28 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:32:52.895815852Z	48	PC: 12cc1 \| Get DOS version
2018-12-25T12:32:52.898509061Z	42	PC: 12d41 \| Get date 0x12d41: cmp dx, 0x106 0x12d45: je 0x12d4a 0x12d47: jmp 0x12d6e 0x12d4a: mov cx, 0x19 0x12d4d: mov di, 0x3c8 0x12d50: mov ah, byte ptr [di] 0x12d52: cmp ah, 1 0x12d55: jne 0x12d5a 0x12d57: jmp 0x12d63 0x12d5a: mov ah, byte ptr [di] 0x12d5c: ror ah, 1 0x12d5e: mov byte ptr [di], ah 0x12d60: inc di 0x12d61: loop 0x12d5a 0x12d63: mov dx, 0x3c9 0x12d66: mov ah, 9 0x12d68: int 0x21 0x12d6a: jmp 0x12d6e 0x12d6d: add byte ptr [bx + 0x3bc], bh 0x12d71: mov ah, byte ptr [di]
2018-12-25T12:32:52.901305325Z	78	PC: 12dbe \| Find first file
2018-12-25T12:32:52.910088835Z	61	PC: 13996 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:32:52.917946209Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-25T12:32:52.936677367Z	62	PC: 139aa \| Close file
2018-12-25T12:32:52.947528351Z	79	PC: 12e22 \| Find next file
2018-12-25T12:32:52.951647715Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:52.95944518Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:52.969784566Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:52.98107441Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:52.984349554Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:52.992753133Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:53.003928469Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:53.013538133Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:53.017026231Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:53.032977757Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:53.042864061Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:53.052621861Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:53.058313648Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:53.065774014Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:53.077133902Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:53.093194304Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:53.096784862Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:53.104373473Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:53.1143582Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:53.123548958Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:53.126506098Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:53.133854023Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:53.145018565Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:53.15512005Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:53.158925491Z	61	PC: 13996 \| Open file (See above)
2018-12-25T12:32:53.167898859Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T12:32:53.177415726Z	62	PC: 139aa \| Close file (See above)
2018-12-25T12:32:53.353759489Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T12:32:53.357657835Z	9	PC: 12e2b \| Display string (String= '-KNIGHT- ')

{"DateBased":true,"Day":6,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12403,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T13:07:19.430477391Z	53	PC: 12bce \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:07:19.432632733Z	37	PC: 12be0 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:07:19.434366428Z	44	PC: 12c36 \| Get time 0x12c36: push dx 0x12c37: jmp 0x12c94 0x12c3a: mov ah, 0x2c 0x12c3c: int 0x21 0x12c3e: pop cx 0x12c3f: cmp ch, dh 0x12c41: jne 0x12c46 0x12c43: jmp 0x12ca3 0x12c46: cmp cl, dl 0x12c48: jb 0x12c61 0x12c4a: cmp ch, 0x3b 0x12c4d: jne 0x12c57 0x12c4f: cmp dh, 0 0x12c52: ja 0x12c61 0x12c54: jmp 0x12ca3 0x12c57: sub dh, ch 0x12c59: cmp dh, 1 0x12c5c: ja 0x12c61 0x12c5e: jmp 0x12ca3 0x12c61: mov ah, 2
2018-12-25T13:07:19.437813576Z	44	PC: 12c3e \| Get time 0x12c3e: pop cx 0x12c3f: cmp ch, dh 0x12c41: jne 0x12c46 0x12c43: jmp 0x12ca3 0x12c46: cmp cl, dl 0x12c48: jb 0x12c61 0x12c4a: cmp ch, 0x3b 0x12c4d: jne 0x12c57 0x12c4f: cmp dh, 0 0x12c52: ja 0x12c61 0x12c54: jmp 0x12ca3 0x12c57: sub dh, ch 0x12c59: cmp dh, 1 0x12c5c: ja 0x12c61 0x12c5e: jmp 0x12ca3 0x12c61: mov ah, 2 0x12c63: mov di, 0x34d 0x12c66: mov dl, byte ptr [di] 0x12c68: sub dl, 0x10 0x12c6b: inc di
2018-12-25T13:07:19.441411119Z	37	PC: 12b16 \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-25T13:07:19.443098095Z	37	PC: 12b28 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T13:07:19.444791408Z	48	PC: 12cc1 \| Get DOS version
2018-12-25T13:07:19.447677865Z	42	PC: 12d41 \| Get date 0x12d41: cmp dx, 0x106 0x12d45: je 0x12d4a 0x12d47: jmp 0x12d6e 0x12d4a: mov cx, 0x19 0x12d4d: mov di, 0x3c8 0x12d50: mov ah, byte ptr [di] 0x12d52: cmp ah, 1 0x12d55: jne 0x12d5a 0x12d57: jmp 0x12d63 0x12d5a: mov ah, byte ptr [di] 0x12d5c: ror ah, 1 0x12d5e: mov byte ptr [di], ah 0x12d60: inc di 0x12d61: loop 0x12d5a 0x12d63: mov dx, 0x3c9 0x12d66: mov ah, 9 0x12d68: int 0x21 0x12d6a: jmp 0x12d6e 0x12d6d: add byte ptr [bx + 0x3bc], bh 0x12d71: mov ah, byte ptr [di]
2018-12-25T13:07:19.451849231Z	9	PC: 12d6a \| Display string (String= 'Aspettami che arrivo ')
2018-12-25T13:07:19.456807448Z	78	PC: 12dbe \| Find first file
2018-12-25T13:07:19.464573005Z	61	PC: 13996 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T13:07:19.473045998Z	64	PC: 139a6 \| Write file or device (Write 1136 bytes on handle 5)
2018-12-25T13:07:21.064559114Z	62	PC: 139aa \| Close file
2018-12-25T13:07:21.075980883Z	79	PC: 12e22 \| Find next file
2018-12-25T13:07:21.091524978Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.099033769Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.115095155Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.130736296Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.134361873Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.142801132Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.152957486Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.163414195Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.166930674Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.175090093Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.185013285Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.195246445Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.206060501Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.215597045Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.225821239Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.236084634Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.240864808Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.248713903Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.258553409Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.270348668Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.274262699Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.28234581Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.293512387Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.303529223Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.307365305Z	61	PC: 13996 \| Open file (See above)
2018-12-25T13:07:21.315544397Z	64	PC: 139a6 \| Write file or device (See above)
2018-12-25T13:07:21.325912808Z	62	PC: 139aa \| Close file (See above)
2018-12-25T13:07:21.335499303Z	79	PC: 12e22 \| Find next file (See above)
2018-12-25T13:07:21.338354584Z	9	PC: 12e2b \| Display string (String= '-KNIGHT- ')