Sample viewer

vx.netlux.org/Virus.DOS.SecretForm.868

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:58:42.023184523Z	42	PC: 12c6a \| Get date 0x12c6a: cmp dx, 0xb0b 0x12c6e: je 0x12c7a 0x12c70: cmp byte ptr [2], 0xae 0x12c75: jge 0x12c7a 0x12c77: jmp 0x12e11 0x12c7a: push ds 0x12c7b: mov ds, word ptr [0x396] 0x12c7f: xor si, si 0x12c81: mov ax, word ptr [si + 0x2c] 0x12c84: mov ds, ax 0x12c86: pop es 0x12c87: mov di, 0x4dc 0x12c8a: lodsb al, byte ptr [si] 0x12c8b: cmp al, 0 0x12c8d: jne 0x12c8a 0x12c8f: lodsb al, byte ptr [si] 0x12c90: cmp al, 0 0x12c92: jne 0x12c8a 0x12c94: add si, 2 0x12c97: lodsb al, byte ptr [si]
2018-12-17T22:58:42.02597365Z	53	PC: 12e17 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:42.027368382Z	37	PC: 12e27 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:42.028517237Z	47	PC: 12e2b \| Get disk transfer address
2018-12-17T22:58:42.030017111Z	71	PC: 12e3f \| Get current directory
2018-12-17T22:58:42.033135599Z	26	PC: 12ceb \| Set disk transfer address
2018-12-17T22:58:42.034262243Z	78	PC: 12cf5 \| Find first file
2018-12-17T22:58:42.040835008Z	67	PC: 12cbe \| Get or set file attributes
2018-12-17T22:58:42.059409832Z	61	PC: 12cc3 \| Open file (Filename = 'TEST.EXE')
2018-12-17T22:58:42.066946255Z	63	PC: 12d45 \| Read file or device (Read 28 bytes on handle 5)
2018-12-17T22:58:42.069863407Z	66	PC: 12db9 \| Move file pointer
2018-12-17T22:58:42.072067162Z	64	PC: 12dc3 \| Write file or device (Write 868 bytes on handle 5)
2018-12-17T22:58:42.082004292Z	66	PC: 12de1 \| Move file pointer
2018-12-17T22:58:42.086709318Z	64	PC: 12deb \| Write file or device (Write 28 bytes on handle 5)
2018-12-17T22:58:42.090185664Z	87	PC: 12cd3 \| Get or set file date and time
2018-12-17T22:58:42.092229891Z	62	PC: 12cd7 \| Close file
2018-12-17T22:58:42.100756117Z	67	PC: 12ce3 \| Get or set file attributes
2018-12-17T22:58:42.104402497Z	79	PC: 12e03 \| Find next file
2018-12-17T22:58:42.106186511Z	26	PC: 12e49 \| Set disk transfer address
2018-12-17T22:58:42.10716685Z	78	PC: 12e53 \| Find first file
2018-12-17T22:58:42.111366564Z	59	PC: 12e8b \| Change current directory
2018-12-17T22:58:42.11735875Z	37	PC: 12ea7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:58:42.118525209Z	26	PC: 12eb5 \| Set disk transfer address
2018-12-17T22:58:42.120111535Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000003E8h/0000001000d bytes. ')
2018-12-17T22:58:42.12467705Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":11,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12959,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:37:04.832007602Z	42	PC: 12c6a \| Get date 0x12c6a: cmp dx, 0xb0b 0x12c6e: je 0x12c7a 0x12c70: cmp byte ptr [2], 0xae 0x12c75: jge 0x12c7a 0x12c77: jmp 0x12e11 0x12c7a: push ds 0x12c7b: mov ds, word ptr [0x396] 0x12c7f: xor si, si 0x12c81: mov ax, word ptr [si + 0x2c] 0x12c84: mov ds, ax 0x12c86: pop es 0x12c87: mov di, 0x4dc 0x12c8a: lodsb al, byte ptr [si] 0x12c8b: cmp al, 0 0x12c8d: jne 0x12c8a 0x12c8f: lodsb al, byte ptr [si] 0x12c90: cmp al, 0 0x12c92: jne 0x12c8a 0x12c94: add si, 2 0x12c97: lodsb al, byte ptr [si]
2018-12-25T12:37:04.834481348Z	67	PC: 12cbe \| Get or set file attributes
2018-12-25T12:37:04.851256213Z	61	PC: 12cc3 \| Open file (Filename = 'A:\TEST.EXE')
2018-12-25T12:37:04.859020623Z	64	PC: 12cae \| Write file or device (Write 174 bytes on handle 5)
2018-12-25T12:37:04.862146313Z	87	PC: 12cd3 \| Get or set file date and time
2018-12-25T12:37:04.863567737Z	62	PC: 12cd7 \| Close file
2018-12-25T12:37:04.877351913Z	67	PC: 12ce3 \| Get or set file attributes
2018-12-25T12:37:04.88228364Z	37	PC: 12ea7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.884749357Z	26	PC: 12eb5 \| Set disk transfer address
2018-12-25T12:37:04.885838119Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000003E8h/0000001000d bytes. ')
2018-12-25T12:37:04.891741674Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":12959,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:37:04.902415501Z	42	PC: 12c6a \| Get date 0x12c6a: cmp dx, 0xb0b 0x12c6e: je 0x12c7a 0x12c70: cmp byte ptr [2], 0xae 0x12c75: jge 0x12c7a 0x12c77: jmp 0x12e11 0x12c7a: push ds 0x12c7b: mov ds, word ptr [0x396] 0x12c7f: xor si, si 0x12c81: mov ax, word ptr [si + 0x2c] 0x12c84: mov ds, ax 0x12c86: pop es 0x12c87: mov di, 0x4dc 0x12c8a: lodsb al, byte ptr [si] 0x12c8b: cmp al, 0 0x12c8d: jne 0x12c8a 0x12c8f: lodsb al, byte ptr [si] 0x12c90: cmp al, 0 0x12c92: jne 0x12c8a 0x12c94: add si, 2 0x12c97: lodsb al, byte ptr [si]
2018-12-25T12:37:04.904861246Z	53	PC: 12e17 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.906178609Z	37	PC: 12e27 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:04.908534526Z	47	PC: 12e2b \| Get disk transfer address
2018-12-25T12:37:04.909786835Z	71	PC: 12e3f \| Get current directory
2018-12-25T12:37:04.913133707Z	26	PC: 12ceb \| Set disk transfer address
2018-12-25T12:37:04.91525797Z	78	PC: 12cf5 \| Find first file
2018-12-25T12:37:04.922012047Z	67	PC: 12cbe \| Get or set file attributes
2018-12-25T12:37:04.938871634Z	61	PC: 12cc3 \| Open file (Filename = 'TEST.EXE')
2018-12-25T12:37:04.948101119Z	63	PC: 12d45 \| Read file or device (Read 28 bytes on handle 5)
2018-12-25T12:37:04.95197167Z	66	PC: 12db9 \| Move file pointer
2018-12-25T12:37:04.954663752Z	64	PC: 12dc3 \| Write file or device (Write 868 bytes on handle 5)
2018-12-25T12:37:04.964809727Z	66	PC: 12de1 \| Move file pointer
2018-12-25T12:37:04.96780963Z	64	PC: 12deb \| Write file or device (Write 28 bytes on handle 5)
2018-12-25T12:37:04.971242776Z	87	PC: 12cd3 \| Get or set file date and time
2018-12-25T12:37:04.972937584Z	62	PC: 12cd7 \| Close file
2018-12-25T12:37:04.982774136Z	67	PC: 12ce3 \| Get or set file attributes
2018-12-25T12:37:04.98839588Z	79	PC: 12e03 \| Find next file
2018-12-25T12:37:04.991444832Z	26	PC: 12e49 \| Set disk transfer address
2018-12-25T12:37:04.994080535Z	78	PC: 12e53 \| Find first file
2018-12-25T12:37:04.999150199Z	59	PC: 12e8b \| Change current directory
2018-12-25T12:37:05.004251997Z	37	PC: 12ea7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:37:05.006436929Z	26	PC: 12eb5 \| Set disk transfer address
2018-12-25T12:37:05.008605951Z	9	PC: 12a82 \| Display string (String= 'Goat file (EXE). Size=000003E8h/0000001000d bytes. ')
2018-12-25T12:37:05.015717031Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')