Sample viewer

vx.netlux.org/Virus.DOS.Croatia.1535

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:02:17.641098044Z	42	PC: 12b9d \| Get date 0x12b9d: cmp cx, 0x7c9 0x12ba1: ja 0x12ba8 0x12ba3: cmp dh, 1 0x12ba6: jae 0x12ba8 0x12ba8: mov ah, 0xee 0x12baa: int 0x21 0x12bac: cmp cx, 0x666 0x12bb0: jne 0x12bb5 0x12bb2: jmp 0x12c35 0x12bb5: mov ax, 0x3521 0x12bb8: int 0x21 0x12bba: mov word ptr [0x103], bx 0x12bbe: mov word ptr [0x105], es 0x12bc2: mov ax, 0x3528 0x12bc5: int 0x21 0x12bc7: mov word ptr [0x107], bx 0x12bcb: mov word ptr [0x109], es 0x12bcf: mov ax, 0x3513 0x12bd2: int 0x21 0x12bd4: mov word ptr [0x10b], bx
2018-12-17T22:02:17.64418803Z	238	PC: 12bac \| UNKNOWN!
2018-12-17T22:02:17.645558823Z	53	PC: 12bba \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:02:17.646835886Z	53	PC: 12bc7 \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-17T22:02:17.648058319Z	53	PC: 12bd4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:02:17.649685149Z	37	PC: 12c2b \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:02:17.651601858Z	37	PC: 12c33 \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-17T22:02:17.653546086Z	75	PC: 12c44 \| Execute program
2018-12-17T22:02:17.656226156Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=0000014Dh/0000000333d bytes. ')
2018-12-17T22:02:17.66140903Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1372,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:43:27.734447774Z	42	PC: 12b9d \| Get date 0x12b9d: cmp cx, 0x7c9 0x12ba1: ja 0x12ba8 0x12ba3: cmp dh, 1 0x12ba6: jae 0x12ba8 0x12ba8: mov ah, 0xee 0x12baa: int 0x21 0x12bac: cmp cx, 0x666 0x12bb0: jne 0x12bb5 0x12bb2: jmp 0x12c35 0x12bb5: mov ax, 0x3521 0x12bb8: int 0x21 0x12bba: mov word ptr [0x103], bx 0x12bbe: mov word ptr [0x105], es 0x12bc2: mov ax, 0x3528 0x12bc5: int 0x21 0x12bc7: mov word ptr [0x107], bx 0x12bcb: mov word ptr [0x109], es 0x12bcf: mov ax, 0x3513 0x12bd2: int 0x21 0x12bd4: mov word ptr [0x10b], bx
2018-12-25T11:43:27.73731117Z	238	PC: 12bac \| UNKNOWN!
2018-12-25T11:43:27.738154824Z	53	PC: 12bba \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:43:27.739373397Z	53	PC: 12bc7 \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:43:27.740935916Z	53	PC: 12bd4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:43:27.742107795Z	37	PC: 12c2b \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:43:27.743221163Z	37	PC: 12c33 \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:43:27.744862374Z	75	PC: 12c44 \| Execute program
2018-12-25T11:43:27.746336091Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=0000014Dh/0000000333d bytes. ')
2018-12-25T11:43:27.749590359Z	42	PC: 9fba6 \| Get date 0x9fba6: ret 0x9fba7: pushf 0x9fba8: cli 0x9fba9: lcall ptr cs:[0x10b] 0x9fbae: ret 0x9fbaf: jmp 0x9fbb2 0x9fbb2: call 0x9fbea 0x9fbb5: inc di 0x9fbb6: outsw dx, word ptr [si] 0x9fbb7: popaw 0x9fbb8: je 0x9fbda 0x9fbba: imul ebp, dword ptr [si + 0x65], 0x4f432820 0x9fbc2: dec bp 0x9fbc3: sub word ptr [0x5320], bp 0x9fbc7: imul di, word ptr [bp + si + 0x65], 0x303d 0x9fbcc: xor byte ptr [bx + si], dh 0x9fbce: xor byte ptr [bx + si], dh 0x9fbd0: xor word ptr [si], si 0x9fbd2: inc sp 0x9fbd3: push 0x302f
2018-12-25T11:43:27.75533398Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1994,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1372,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:43:28.049026251Z	42	PC: 12b9d \| Get date 0x12b9d: cmp cx, 0x7c9 0x12ba1: ja 0x12ba8 0x12ba3: cmp dh, 1 0x12ba6: jae 0x12ba8 0x12ba8: mov ah, 0xee 0x12baa: int 0x21 0x12bac: cmp cx, 0x666 0x12bb0: jne 0x12bb5 0x12bb2: jmp 0x12c35 0x12bb5: mov ax, 0x3521 0x12bb8: int 0x21 0x12bba: mov word ptr [0x103], bx 0x12bbe: mov word ptr [0x105], es 0x12bc2: mov ax, 0x3528 0x12bc5: int 0x21 0x12bc7: mov word ptr [0x107], bx 0x12bcb: mov word ptr [0x109], es 0x12bcf: mov ax, 0x3513 0x12bd2: int 0x21 0x12bd4: mov word ptr [0x10b], bx
2018-12-25T11:43:28.064301633Z	238	PC: 12bac \| UNKNOWN!
2018-12-25T11:43:28.065220834Z	53	PC: 12bba \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:43:28.066541354Z	53	PC: 12bc7 \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:43:28.067822444Z	53	PC: 12bd4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:43:28.069260492Z	37	PC: 12c2b \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:43:28.070509034Z	37	PC: 12c33 \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:43:28.07187466Z	75	PC: 12c44 \| Execute program
2018-12-25T11:43:28.074123974Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=0000014Dh/0000000333d bytes. ')
2018-12-25T11:43:28.077918893Z	42	PC: 9fba6 \| Get date 0x9fba6: ret 0x9fba7: pushf 0x9fba8: cli 0x9fba9: lcall ptr cs:[0x10b] 0x9fbae: ret 0x9fbaf: jmp 0x9fbb2 0x9fbb2: call 0x9fbea 0x9fbb5: inc di 0x9fbb6: outsw dx, word ptr [si] 0x9fbb7: popaw 0x9fbb8: je 0x9fbda 0x9fbba: imul ebp, dword ptr [si + 0x65], 0x4f432820 0x9fbc2: dec bp 0x9fbc3: sub word ptr [0x5320], bp 0x9fbc7: imul di, word ptr [bp + si + 0x65], 0x303d 0x9fbcc: xor byte ptr [bx + si], dh 0x9fbce: xor byte ptr [bx + si], dh 0x9fbd0: xor word ptr [si], si 0x9fbd2: inc sp 0x9fbd3: push 0x302f
2018-12-25T11:43:28.083594058Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')