Sample viewer

vx.netlux.org/Trojan.DOS.MMi.c

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:58:26.780291257Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:26.782906934Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:58:26.784451698Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:26.786008334Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:26.788665558Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:58:26.790817493Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:26.793053866Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:58:26.795425334Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:58:26.797946412Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:58:26.800649493Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:58:26.802519207Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:58:26.804348516Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:58:26.806613413Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:58:26.810017291Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:58:26.814953709Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:58:26.817907662Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:58:26.820786252Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:58:26.827061237Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:58:26.828604377Z	53	PC: 14d7a \| Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:58:26.83157972Z	37	PC: 14d8f \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:26.833055794Z	37	PC: 14d97 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:58:26.834296496Z	37	PC: 14d9f \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:26.836211225Z	37	PC: 14da7 \| Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:58:26.838063797Z	68	PC: 15868 \| I/O control for devices (Set for = '')
2018-12-17T22:58:26.91526193Z	37	PC: 14501 \| Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:26.918345927Z	53	PC: 14c21 \| Get interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:58:26.922433249Z	37	PC: 14c3d \| Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:58:26.924648253Z	53	PC: 14c21 \| Get interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-17T22:58:26.926787764Z	37	PC: 14c3d \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-17T22:58:26.928455198Z	53	PC: 14c21 \| Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:26.930203464Z	37	PC: 14c3d \| Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:26.932136398Z	51	PC: 14b0f \| Get or set Ctrl-Break
2018-12-17T22:58:26.933741385Z	48	PC: 1558e \| Get DOS version
2018-12-17T22:58:26.935410291Z	67	PC: 14b22 \| Get or set file attributes
2018-12-17T22:58:26.943074707Z	67	PC: 14b49 \| Get or set file attributes
2018-12-17T22:58:26.960966677Z	61	PC: 15440 \| Open file (Filename = 'A:\TEST.EXE')
2018-12-17T22:58:26.969143236Z	63	PC: 15513 \| Read file or device (Read 7612 bytes on handle 5)
2018-12-17T22:58:26.978754381Z	67	PC: 14b49 \| Get or set file attributes
2018-12-17T22:58:26.992615374Z	62	PC: 15490 \| Close file
2018-12-17T22:58:26.995108601Z	48	PC: 1558e \| Get DOS version
2018-12-17T22:58:26.997133186Z	26	PC: 14bc0 \| Set disk transfer address
2018-12-17T22:58:26.999706273Z	78	PC: 14bcc \| Find first file
2018-12-17T22:58:27.006619677Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.007888903Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.012628902Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.013917614Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.016867158Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.01858651Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.021828324Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.023045371Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.026420144Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.027684481Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.030935692Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.033028986Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.036464704Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.037939256Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.043125904Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.046021477Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.049433079Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.051069074Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.055057311Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.056670353Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.060005161Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.062247947Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.065273964Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.066489799Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.0710336Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.07222531Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.076477603Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.07907229Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.082315305Z	26	PC: 14be4 \| Set disk transfer address
2018-12-17T22:58:27.084276882Z	79	PC: 14be9 \| Find next file
2018-12-17T22:58:27.094258123Z	44	PC: 14abd \| Get time 0x14abd: xor ah, ah 0x14abf: mov al, dl 0x14ac1: les di, ptr [bp + 6] 0x14ac4: stosw word ptr es:[di], ax 0x14ac5: mov al, dh 0x14ac7: les di, ptr [bp + 0xa] 0x14aca: stosw word ptr es:[di], ax 0x14acb: mov al, cl 0x14acd: les di, ptr [bp + 0xe] 0x14ad0: stosw word ptr es:[di], ax 0x14ad1: mov al, ch 0x14ad3: les di, ptr [bp + 0x12] 0x14ad6: stosw word ptr es:[di], ax 0x14ad7: pop bp 0x14ad8: retf 0x10 0x14adb: push bp 0x14adc: mov bp, sp 0x14ade: mov ch, byte ptr [bp + 0xc] 0x14ae1: mov cl, byte ptr [bp + 0xa] 0x14ae4: mov dh, byte ptr [bp + 8]
2018-12-17T22:58:27.115646104Z	48	PC: 1558e \| Get DOS version
2018-12-17T22:58:27.118297428Z	26	PC: 14bc0 \| Set disk transfer address
2018-12-17T22:58:27.120865775Z	78	PC: 14bcc \| Find first file
2018-12-17T22:58:27.130675303Z	48	PC: 1558e \| Get DOS version
2018-12-17T22:58:27.132420423Z	67	PC: 14b49 \| Get or set file attributes
2018-12-17T22:58:27.148655509Z	61	PC: 15440 \| Open file (Filename = 'A:\TEST.EXE')
2018-12-17T22:58:27.160810966Z	66	PC: 15572 \| Move file pointer
2018-12-17T22:58:27.163296118Z	63	PC: 15513 \| Read file or device (Read 7612 bytes on handle 5)
2018-12-17T22:58:27.176787426Z	66	PC: 15572 \| Move file pointer
2018-12-17T22:58:27.179393795Z	64	PC: 15471 \| Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:58:27.193529875Z	66	PC: 15572 \| Move file pointer
2018-12-17T22:58:27.197395381Z	64	PC: 15513 \| Write file or device (Write 7612 bytes on handle 5)
2018-12-17T22:58:27.212681413Z	62	PC: 15490 \| Close file
2018-12-17T22:58:27.224417301Z	37	PC: 14c3d \| Set interrupt vector (Interrupt = '1' AKA 'Character input')
2018-12-17T22:58:27.226965641Z	37	PC: 14c3d \| Set interrupt vector (Interrupt = '3' AKA 'Auxiliary input')
2018-12-17T22:58:27.228971652Z	37	PC: 14c3d \| Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:27.231305228Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:27.233194629Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:27.23534445Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:58:27.237863465Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:58:27.241491163Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:27.245447681Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:58:27.247195325Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:27.249059369Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:27.251849012Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:58:27.253408835Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:58:27.254701995Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:27.257133756Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:27.258607225Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:58:27.260273347Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:58:27.262987178Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:58:27.264608225Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:58:27.266138972Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:58:27.268970594Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:58:27.270918766Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:58:27.272577734Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:58:27.274928342Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:58:27.276895831Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:58:27.278472965Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:58:27.280303355Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:58:27.28271614Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:58:27.284285971Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:58:27.285823722Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:58:27.288407047Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:58:27.289955067Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:58:27.291522724Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:58:27.294127971Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:58:27.295724862Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:58:27.298051144Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:58:27.300646663Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:58:27.302230039Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:58:27.303819887Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:58:27.306735037Z	53	PC: 14cec \| Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:58:27.308336377Z	37	PC: 14cf5 \| Set interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:58:27.310006646Z	48	PC: 1558e \| Get DOS version
2018-12-17T22:58:27.312671074Z	41	PC: 14ca3 \| Parse filename
2018-12-17T22:58:27.314943135Z	41	PC: 14cb1 \| Parse filename
2018-12-17T22:58:27.316798322Z	75	PC: 14cbc \| Execute program
2018-12-17T22:58:27.337050628Z	9	PC: 1bb6c \| Display string (Could not find end pointer)