Sample viewer

vx.netlux.org/Virus.DOS.Coconut.2099

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:58:39.891115491Z 43 PC: 15577 | Set date
2018-12-17T22:58:39.895373054Z 42 PC: 155a3 | Get date 0x155a3: cmp dh, 0xc
0x155a6: jne 0x155b5
0x155a8: cmp dl, 0x19
0x155ab: je 0x155b2
0x155ad: cmp dl, 0x1f
0x155b0: jne 0x155b5
0x155b2: call 0x157f7
0x155b5: call 0x15754
0x155b8: call 0x1573e
0x155bb: call 0x1578b
0x155be: call 0x15791
0x155c1: mov ah, 0x4d
0x155c3: inc ah
0x155c5: mov cx, 7
0x155c8: lea dx, word ptr [bp + 0x8b1]
0x155cc: int 0x21
0x155ce: jae 0x155d6
0x155d0: jmp 0x1566a
0x155d3: jmp 0x156a2
0x155d6: cmp word ptr [bp + 0x98d], 0x3e8
2018-12-17T22:58:39.898645125Z 53 PC: 15743 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:39.900782425Z 37 PC: 15752 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:39.903137488Z 71 PC: 1579a | Get current directory
2018-12-17T22:58:39.906654518Z 26 PC: 157a1 | Set disk transfer address
2018-12-17T22:58:39.907799108Z 78 PC: 155ce | Find first file
2018-12-17T22:58:39.914357473Z 67 PC: 155fc | Get or set file attributes
2018-12-17T22:58:39.934562875Z 61 PC: 15608 | Open file (Filename = 'TEST.EXE')
2018-12-17T22:58:39.941999975Z 63 PC: 15619 | Read file or device (Read 26 bytes on handle 5)
2018-12-17T22:58:39.945176842Z 67 PC: 157e7 | Get or set file attributes
2018-12-17T22:58:39.957062373Z 87 PC: 157f3 | Get or set file date and time
2018-12-17T22:58:39.958943659Z 62 PC: 157f6 | Close file
2018-12-17T22:58:39.971308191Z 79 PC: 156ab | Find next file
2018-12-17T22:58:39.983306694Z 59 PC: 156b8 | Change current directory
2018-12-17T22:58:39.987987531Z 67 PC: 157e7 | Get or set file attributes
2018-12-17T22:58:39.998867967Z 87 PC: 157f3 | Get or set file date and time
2018-12-17T22:58:40.001224182Z 62 PC: 157f6 | Close file
2018-12-17T22:58:40.003452354Z 79 PC: 156ab | Find next file
2018-12-17T22:58:40.006253299Z 59 PC: 156b8 | Change current directory
2018-12-17T22:58:40.011109355Z 26 PC: 15783 | Set disk transfer address
2018-12-17T22:58:40.022703572Z 59 PC: 1578a | Change current directory
2018-12-17T22:58:40.027229698Z 37 PC: 157ca | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:40.028704819Z 48 PC: 12eee | Get DOS version
2018-12-17T22:58:40.030684283Z 74 PC: 12f48 | Reallocate memory
2018-12-17T22:58:40.033472647Z 48 PC: 12fa0 | Get DOS version
2018-12-17T22:58:40.035380515Z 53 PC: 12fa8 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:40.050125352Z 37 PC: 12fba | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:40.051478029Z 68 PC: 1303e | I/O control for devices (Set for = '�� �u+�P��PV��P��P��P+�P�Q���+�P�PVV+�P�=�� �F�=��t�+�^_��]�U�츤')
2018-12-17T22:58:40.052946745Z 68 PC: 1303e | I/O control for devices
2018-12-17T22:58:40.058316161Z 68 PC: 1303e | I/O control for devices
2018-12-17T22:58:40.060104802Z 68 PC: 1303e | I/O control for devices
2018-12-17T22:58:40.06224853Z 68 PC: 1303e | I/O control for devices
2018-12-17T22:58:40.067095635Z 67 PC: 14d17 | Get or set file attributes
2018-12-17T22:58:40.090282639Z 67 PC: 14d17 | Get or set file attributes
2018-12-17T22:58:40.097910543Z 67 PC: 14d17 | Get or set file attributes
2018-12-17T22:58:40.110291288Z 64 PC: 13fdc | Write file or device (Write 37 bytes on handle 1)
2018-12-17T22:58:40.116614896Z 37 PC: 130d3 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:58:40.118232263Z 76 PC: 130bc | Terminate with return code (Return code = '2')

{"DateBased":true,"Day":31,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12947,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:37:03.90242162Z 43 PC: 15577 | Set date
2018-12-25T12:37:03.905579425Z 42 PC: 155a3 | Get date 0x155a3: cmp dh, 0xc
0x155a6: jne 0x155b5
0x155a8: cmp dl, 0x19
0x155ab: je 0x155b2
0x155ad: cmp dl, 0x1f
0x155b0: jne 0x155b5
0x155b2: call 0x157f7
0x155b5: call 0x15754
0x155b8: call 0x1573e
0x155bb: call 0x1578b
0x155be: call 0x15791
0x155c1: mov ah, 0x4d
0x155c3: inc ah
0x155c5: mov cx, 7
0x155c8: lea dx, word ptr [bp + 0x8b1]
0x155cc: int 0x21
0x155ce: jae 0x155d6
0x155d0: jmp 0x1566a
0x155d3: jmp 0x156a2
0x155d6: cmp word ptr [bp + 0x98d], 0x3e8
2018-12-25T12:37:03.911323977Z 9 PC: 1581d | Display string (Could not find end pointer)
2018-12-25T12:37:03.932039969Z 76 PC: 15825 | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12947,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:37:04.323306345Z 43 PC: 15577 | Set date
2018-12-25T12:37:04.326840816Z 42 PC: 155a3 | Get date 0x155a3: cmp dh, 0xc
0x155a6: jne 0x155b5
0x155a8: cmp dl, 0x19
0x155ab: je 0x155b2
0x155ad: cmp dl, 0x1f
0x155b0: jne 0x155b5
0x155b2: call 0x157f7
0x155b5: call 0x15754
0x155b8: call 0x1573e
0x155bb: call 0x1578b
0x155be: call 0x15791
0x155c1: mov ah, 0x4d
0x155c3: inc ah
0x155c5: mov cx, 7
0x155c8: lea dx, word ptr [bp + 0x8b1]
0x155cc: int 0x21
0x155ce: jae 0x155d6
0x155d0: jmp 0x1566a
0x155d3: jmp 0x156a2
0x155d6: cmp word ptr [bp + 0x98d], 0x3e8
2018-12-25T12:37:04.329219858Z 53 PC: 15743 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.330669602Z 37 PC: 15752 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.33305031Z 71 PC: 1579a | Get current directory
2018-12-25T12:37:04.336210636Z 26 PC: 157a1 | Set disk transfer address
2018-12-25T12:37:04.337451217Z 78 PC: 155ce | Find first file
2018-12-25T12:37:04.344482267Z 67 PC: 155fc | Get or set file attributes
2018-12-25T12:37:04.362403078Z 61 PC: 15608 | Open file (Filename = 'TEST.EXE')
2018-12-25T12:37:04.369783721Z 63 PC: 15619 | Read file or device (Read 26 bytes on handle 5)
2018-12-25T12:37:04.372919638Z 67 PC: 157e7 | Get or set file attributes
2018-12-25T12:37:04.384998704Z 87 PC: 157f3 | Get or set file date and time
2018-12-25T12:37:04.386836163Z 62 PC: 157f6 | Close file
2018-12-25T12:37:04.391616933Z 79 PC: 156ab | Find next file
2018-12-25T12:37:04.393851719Z 59 PC: 156b8 | Change current directory
2018-12-25T12:37:04.398496516Z 67 PC: 157e7 | Get or set file attributes (See above)
2018-12-25T12:37:04.411991363Z 87 PC: 157f3 | Get or set file date and time (See above)
2018-12-25T12:37:04.414479552Z 62 PC: 157f6 | Close file (See above)
2018-12-25T12:37:04.416213526Z 79 PC: 156ab | Find next file (See above)
2018-12-25T12:37:04.419629247Z 59 PC: 156b8 | Change current directory (See above)
2018-12-25T12:37:04.424775812Z 26 PC: 15783 | Set disk transfer address
2018-12-25T12:37:04.426130806Z 59 PC: 1578a | Change current directory
2018-12-25T12:37:04.430759168Z 37 PC: 157ca | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.433069644Z 48 PC: 12eee | Get DOS version
2018-12-25T12:37:04.435840132Z 74 PC: 12f48 | Reallocate memory
2018-12-25T12:37:04.437215816Z 48 PC: 12fa0 | Get DOS version
2018-12-25T12:37:04.440039621Z 53 PC: 12fa8 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:37:04.441599647Z 37 PC: 12fba | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:37:04.443414185Z 68 PC: 1303e | I/O control for devices (Set for = '�� �u+�P��PV��P��P��P+�P�Q���+�P�PVV+�P�=�� �F�=��t�+�^_��]�U�츤')
2018-12-25T12:37:04.445616679Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.448684067Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.451501316Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.454162037Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.457079826Z 67 PC: 14d17 | Get or set file attributes
2018-12-25T12:37:04.464132096Z 67 PC: 14d17 | Get or set file attributes (See above)
2018-12-25T12:37:04.471276002Z 67 PC: 14d17 | Get or set file attributes (See above)
2018-12-25T12:37:04.483333073Z 64 PC: 13fdc | Write file or device (Write 37 bytes on handle 1)
2018-12-25T12:37:04.492043942Z 37 PC: 130d3 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:37:04.493321227Z 76 PC: 130bc | Terminate with return code (Return code = '2')

{"DateBased":true,"Day":1,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12947,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:37:04.373994072Z 43 PC: 15577 | Set date
2018-12-25T12:37:04.377495276Z 42 PC: 155a3 | Get date 0x155a3: cmp dh, 0xc
0x155a6: jne 0x155b5
0x155a8: cmp dl, 0x19
0x155ab: je 0x155b2
0x155ad: cmp dl, 0x1f
0x155b0: jne 0x155b5
0x155b2: call 0x157f7
0x155b5: call 0x15754
0x155b8: call 0x1573e
0x155bb: call 0x1578b
0x155be: call 0x15791
0x155c1: mov ah, 0x4d
0x155c3: inc ah
0x155c5: mov cx, 7
0x155c8: lea dx, word ptr [bp + 0x8b1]
0x155cc: int 0x21
0x155ce: jae 0x155d6
0x155d0: jmp 0x1566a
0x155d3: jmp 0x156a2
0x155d6: cmp word ptr [bp + 0x98d], 0x3e8
2018-12-25T12:37:04.380079113Z 53 PC: 15743 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.396594814Z 37 PC: 15752 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.398309737Z 71 PC: 1579a | Get current directory
2018-12-25T12:37:04.401408435Z 26 PC: 157a1 | Set disk transfer address
2018-12-25T12:37:04.402399994Z 78 PC: 155ce | Find first file
2018-12-25T12:37:04.409378715Z 67 PC: 155fc | Get or set file attributes
2018-12-25T12:37:04.427465506Z 61 PC: 15608 | Open file (Filename = 'TEST.EXE')
2018-12-25T12:37:04.437510679Z 63 PC: 15619 | Read file or device (Read 26 bytes on handle 5)
2018-12-25T12:37:04.442132742Z 67 PC: 157e7 | Get or set file attributes
2018-12-25T12:37:04.454187074Z 87 PC: 157f3 | Get or set file date and time
2018-12-25T12:37:04.455733733Z 62 PC: 157f6 | Close file
2018-12-25T12:37:04.46332037Z 79 PC: 156ab | Find next file
2018-12-25T12:37:04.466148438Z 59 PC: 156b8 | Change current directory
2018-12-25T12:37:04.47067079Z 67 PC: 157e7 | Get or set file attributes (See above)
2018-12-25T12:37:04.484293812Z 87 PC: 157f3 | Get or set file date and time (See above)
2018-12-25T12:37:04.486308986Z 62 PC: 157f6 | Close file (See above)
2018-12-25T12:37:04.487687403Z 79 PC: 156ab | Find next file (See above)
2018-12-25T12:37:04.490874913Z 59 PC: 156b8 | Change current directory (See above)
2018-12-25T12:37:04.495477787Z 26 PC: 15783 | Set disk transfer address
2018-12-25T12:37:04.496568009Z 59 PC: 1578a | Change current directory
2018-12-25T12:37:04.500761038Z 37 PC: 157ca | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.502263742Z 48 PC: 12eee | Get DOS version
2018-12-25T12:37:04.503438172Z 74 PC: 12f48 | Reallocate memory
2018-12-25T12:37:04.504714264Z 48 PC: 12fa0 | Get DOS version
2018-12-25T12:37:04.506075587Z 53 PC: 12fa8 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:37:04.507301576Z 37 PC: 12fba | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:37:04.508373893Z 68 PC: 1303e | I/O control for devices (Set for = '�� �u+�P��PV��P��P��P+�P�Q���+�P�PVV+�P�=�� �F�=��t�+�^_��]�U�츤')
2018-12-25T12:37:04.510220382Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.511606575Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.512829424Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.514916136Z 68 PC: 1303e | I/O control for devices (See above)
2018-12-25T12:37:04.516968925Z 67 PC: 14d17 | Get or set file attributes
2018-12-25T12:37:04.523621947Z 67 PC: 14d17 | Get or set file attributes (See above)
2018-12-25T12:37:04.531786593Z 67 PC: 14d17 | Get or set file attributes (See above)
2018-12-25T12:37:04.543747601Z 64 PC: 13fdc | Write file or device (Write 37 bytes on handle 1)
2018-12-25T12:37:04.551105374Z 37 PC: 130d3 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:37:04.552492819Z 76 PC: 130bc | Terminate with return code (Return code = '2')

{"DateBased":true,"Day":25,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12947,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:37:04.444799237Z 43 PC: 15577 | Set date
2018-12-25T12:37:04.447901843Z 42 PC: 155a3 | Get date 0x155a3: cmp dh, 0xc
0x155a6: jne 0x155b5
0x155a8: cmp dl, 0x19
0x155ab: je 0x155b2
0x155ad: cmp dl, 0x1f
0x155b0: jne 0x155b5
0x155b2: call 0x157f7
0x155b5: call 0x15754
0x155b8: call 0x1573e
0x155bb: call 0x1578b
0x155be: call 0x15791
0x155c1: mov ah, 0x4d
0x155c3: inc ah
0x155c5: mov cx, 7
0x155c8: lea dx, word ptr [bp + 0x8b1]
0x155cc: int 0x21
0x155ce: jae 0x155d6
0x155d0: jmp 0x1566a
0x155d3: jmp 0x156a2
0x155d6: cmp word ptr [bp + 0x98d], 0x3e8
2018-12-25T12:37:04.453414699Z 9 PC: 1581d | Display string (Could not find end pointer)
2018-12-25T12:37:04.473277991Z 76 PC: 15825 | Terminate with return code (Return code = '0')