Sample viewer

vx.netlux.org/Virus.DOS.Avalanche.2908

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:58:54.035763871Z	48	PC: 13a29 \| Get DOS version
2018-12-17T22:58:54.038646589Z	48	PC: 13a6c \| Get DOS version
2018-12-17T22:58:54.040946091Z	14	PC: 13a8e \| Set default drive (Drive = 'î')
2018-12-17T22:58:54.042746324Z	78	PC: 13a9f \| Find first file
2018-12-17T22:58:54.049599234Z	78	PC: 13aac \| Find first file
2018-12-17T22:58:54.057292073Z	75	PC: 13ac1 \| Execute program
2018-12-17T22:58:54.059309595Z	74	PC: 13b1b \| Reallocate memory
2018-12-17T22:58:54.06114277Z	88	PC: 13b42 \| case 0xGet or set allocation strateg:
2018-12-17T22:58:54.063557799Z	88	PC: 13b53 \| case 0xGet or set allocation strateg:
2018-12-17T22:58:54.065258155Z	88	PC: 13b5b \| case 0xGet or set allocation strateg:
2018-12-17T22:58:54.067155251Z	72	PC: 13b62 \| Allocate memory
2018-12-17T22:58:54.070558327Z	53	PC: 13b80 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:54.072221994Z	53	PC: 13b8f \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:58:54.074036013Z	37	PC: 13bb1 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:58:54.076695732Z	42	PC: 13bbe \| Get date 0x13bbe: add dh, dl 0x13bc0: cmp dh, 0x1a 0x13bc3: jb 0x13bcd 0x13bc5: mov dx, 0x53d 0x13bc8: mov ax, 0x2513 0x13bcb: int 0x21 0x13bcd: push word ptr cs:[bp + 0x126] 0x13bd2: pop es 0x13bd3: mov bx, 0xffff 0x13bd6: mov ah, 0x4a 0x13bd8: int 0x21 0x13bda: mov ah, 0x4a 0x13bdc: int 0x21 0x13bde: mov bl, byte ptr cs:[bp + 0x140] 0x13be3: xor bh, bh 0x13be5: mov ax, 0x5803 0x13be8: int 0x21 0x13bea: mov bx, word ptr cs:[bp + 0x13e] 0x13bef: mov ax, 0x5801 0x13bf2: int 0x21
2018-12-17T22:58:54.079571056Z	37	PC: 13bcd \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:58:54.081336905Z	74	PC: 13bda \| Reallocate memory
2018-12-17T22:58:54.083935589Z	74	PC: 13bde \| Reallocate memory
2018-12-17T22:58:54.086784123Z	88	PC: 13bea \| case 0xGet or set allocation strateg:
2018-12-17T22:58:54.088843824Z	88	PC: 13bf4 \| case 0xGet or set allocation strateg:
2018-12-17T22:58:54.090988485Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000FA0h/0000004000d bytes. ')
2018-12-17T22:58:54.099495284Z	48	PC: 12a8f \| Get DOS version
2018-12-17T22:58:54.101332467Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T22:58:54.109628749Z	93	PC: 12afe \| File sharing functions
2018-12-17T22:58:54.114062292Z	9	PC: 12a86 \| Display string (String= 'Size change=0B5Ch/02908d. ')
2018-12-17T22:58:54.118814053Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":13042,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:37:11.632088387Z	48	PC: 13a29 \| Get DOS version
2018-12-25T12:37:11.634331492Z	48	PC: 13a6c \| Get DOS version
2018-12-25T12:37:11.636232728Z	14	PC: 13a8e \| Set default drive (Drive = 'î')
2018-12-25T12:37:11.63752605Z	78	PC: 13a9f \| Find first file
2018-12-25T12:37:11.645743665Z	78	PC: 13aac \| Find first file
2018-12-25T12:37:11.661590002Z	75	PC: 13ac1 \| Execute program
2018-12-25T12:37:11.663564294Z	74	PC: 13b1b \| Reallocate memory
2018-12-25T12:37:11.665500475Z	88	PC: 13b42 \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.668116936Z	88	PC: 13b53 \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.669554683Z	88	PC: 13b5b \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.67119418Z	72	PC: 13b62 \| Allocate memory
2018-12-25T12:37:11.674913917Z	53	PC: 13b80 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:37:11.676626724Z	53	PC: 13b8f \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:37:11.67853823Z	37	PC: 13bb1 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:37:11.680871224Z	42	PC: 13bbe \| Get date 0x13bbe: add dh, dl 0x13bc0: cmp dh, 0x1a 0x13bc3: jb 0x13bcd 0x13bc5: mov dx, 0x53d 0x13bc8: mov ax, 0x2513 0x13bcb: int 0x21 0x13bcd: push word ptr cs:[bp + 0x126] 0x13bd2: pop es 0x13bd3: mov bx, 0xffff 0x13bd6: mov ah, 0x4a 0x13bd8: int 0x21 0x13bda: mov ah, 0x4a 0x13bdc: int 0x21 0x13bde: mov bl, byte ptr cs:[bp + 0x140] 0x13be3: xor bh, bh 0x13be5: mov ax, 0x5803 0x13be8: int 0x21 0x13bea: mov bx, word ptr cs:[bp + 0x13e] 0x13bef: mov ax, 0x5801 0x13bf2: int 0x21
2018-12-25T12:37:11.683317842Z	74	PC: 13bda \| Reallocate memory
2018-12-25T12:37:11.685156572Z	74	PC: 13bde \| Reallocate memory
2018-12-25T12:37:11.687332247Z	88	PC: 13bea \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.689325803Z	88	PC: 13bf4 \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.69108971Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000FA0h/0000004000d bytes. ')
2018-12-25T12:37:11.697733379Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:37:11.6991874Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:37:11.70643947Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:37:11.7088041Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:37:11.714292701Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":25,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":13042,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:37:11.923897867Z	48	PC: 13a29 \| Get DOS version
2018-12-25T12:37:11.925702685Z	48	PC: 13a6c \| Get DOS version
2018-12-25T12:37:11.927398674Z	14	PC: 13a8e \| Set default drive (Drive = 'î')
2018-12-25T12:37:11.928517753Z	78	PC: 13a9f \| Find first file
2018-12-25T12:37:11.934837652Z	78	PC: 13aac \| Find first file
2018-12-25T12:37:11.941810521Z	75	PC: 13ac1 \| Execute program
2018-12-25T12:37:11.943352179Z	74	PC: 13b1b \| Reallocate memory
2018-12-25T12:37:11.946884437Z	88	PC: 13b42 \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.949490909Z	88	PC: 13b53 \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.951793299Z	88	PC: 13b5b \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.954315198Z	72	PC: 13b62 \| Allocate memory
2018-12-25T12:37:11.957586339Z	53	PC: 13b80 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:37:11.959911282Z	53	PC: 13b8f \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:37:11.961885587Z	37	PC: 13bb1 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:37:11.965265317Z	42	PC: 13bbe \| Get date 0x13bbe: add dh, dl 0x13bc0: cmp dh, 0x1a 0x13bc3: jb 0x13bcd 0x13bc5: mov dx, 0x53d 0x13bc8: mov ax, 0x2513 0x13bcb: int 0x21 0x13bcd: push word ptr cs:[bp + 0x126] 0x13bd2: pop es 0x13bd3: mov bx, 0xffff 0x13bd6: mov ah, 0x4a 0x13bd8: int 0x21 0x13bda: mov ah, 0x4a 0x13bdc: int 0x21 0x13bde: mov bl, byte ptr cs:[bp + 0x140] 0x13be3: xor bh, bh 0x13be5: mov ax, 0x5803 0x13be8: int 0x21 0x13bea: mov bx, word ptr cs:[bp + 0x13e] 0x13bef: mov ax, 0x5801 0x13bf2: int 0x21
2018-12-25T12:37:11.968365132Z	37	PC: 13bcd \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:37:11.970251803Z	74	PC: 13bda \| Reallocate memory
2018-12-25T12:37:11.97424053Z	74	PC: 13bde \| Reallocate memory
2018-12-25T12:37:11.977237926Z	88	PC: 13bea \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.978746458Z	88	PC: 13bf4 \| case 0xGet or set allocation strateg:
2018-12-25T12:37:11.981063671Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000FA0h/0000004000d bytes. ')
2018-12-25T12:37:11.988510515Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:37:11.989860769Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:37:11.997732639Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:37:11.999959291Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:37:12.004483125Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')