Sample viewer

vx.netlux.org/Virus.DOS.Mainman.773

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:06:22.031622404Z	26	PC: 12ace \| Set disk transfer address
2018-12-17T23:06:22.034044096Z	71	PC: 12d9b \| Get current directory
2018-12-17T23:06:22.038411018Z	42	PC: 12ad5 \| Get date 0x12ad5: cmp al, 0 0x12ad7: jne 0x12b1c 0x12ad9: push es 0x12ada: mov di, 0x140 0x12add: mov ax, 0xb800 0x12ae0: mov es, ax 0x12ae2: mov ah, 2 0x12ae4: mov al, 0xff 0x12ae6: mov cx, 0x4b0 0x12ae9: rep stosd dword ptr es:[di], eax 0x12aeb: mov di, 0x140 0x12aee: mov al, 0x79 0x12af0: mov cx, 7 0x12af3: mov ah, 0x82 0x12af5: stosw word ptr es:[di], ax 0x12af6: add di, 0xa0 0x12afa: loop 0x12af5 0x12afc: mov cx, 7 0x12aff: sub di, 0xa0 0x12b03: stosw word ptr es:[di], ax
2018-12-17T23:06:22.041150484Z	78	PC: 12d0d \| Find first file
2018-12-17T23:06:22.048020944Z	61	PC: 12d20 \| Open file (Filename = 'SLEEP.COM')
2018-12-17T23:06:22.058380316Z	63	PC: 12d2c \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T23:06:22.065582284Z	66	PC: 12d4c \| Move file pointer
2018-12-17T23:06:22.067449327Z	64	PC: 12d59 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T23:06:22.079780325Z	66	PC: 12d64 \| Move file pointer
2018-12-17T23:06:22.081352487Z	64	PC: 12d71 \| Write file or device (Write 773 bytes on handle 5)
2018-12-17T23:06:22.352809596Z	62	PC: 12d75 \| Close file
2018-12-17T23:06:22.363125541Z	59	PC: 12d7d \| Change current directory
2018-12-17T23:06:22.37004085Z	59	PC: 12d87 \| Change current directory
2018-12-17T23:06:22.374562702Z	26	PC: 12d90 \| Set disk transfer address
2018-12-17T23:06:22.376694005Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=00000064h/0000000100d bytes. ')
2018-12-17T23:06:22.382470513Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":15504,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:43:40.430079481Z	26	PC: 12ace \| Set disk transfer address
2018-12-25T12:43:40.432244315Z	71	PC: 12d9b \| Get current directory
2018-12-25T12:43:40.4346685Z	42	PC: 12ad5 \| Get date 0x12ad5: cmp al, 0 0x12ad7: jne 0x12b1c 0x12ad9: push es 0x12ada: mov di, 0x140 0x12add: mov ax, 0xb800 0x12ae0: mov es, ax 0x12ae2: mov ah, 2 0x12ae4: mov al, 0xff 0x12ae6: mov cx, 0x4b0 0x12ae9: rep stosd dword ptr es:[di], eax 0x12aeb: mov di, 0x140 0x12aee: mov al, 0x79 0x12af0: mov cx, 7 0x12af3: mov ah, 0x82 0x12af5: stosw word ptr es:[di], ax 0x12af6: add di, 0xa0 0x12afa: loop 0x12af5 0x12afc: mov cx, 7 0x12aff: sub di, 0xa0 0x12b03: stosw word ptr es:[di], ax
2018-12-25T12:43:40.437064991Z	78	PC: 12d0d \| Find first file
2018-12-25T12:43:40.442685619Z	61	PC: 12d20 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:43:40.449239428Z	63	PC: 12d2c \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:43:40.454994129Z	66	PC: 12d4c \| Move file pointer
2018-12-25T12:43:40.456607191Z	64	PC: 12d59 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:43:40.458986712Z	66	PC: 12d64 \| Move file pointer
2018-12-25T12:43:40.460101772Z	64	PC: 12d71 \| Write file or device (Write 773 bytes on handle 5)
2018-12-25T12:43:40.471590859Z	62	PC: 12d75 \| Close file
2018-12-25T12:43:40.478340249Z	59	PC: 12d7d \| Change current directory
2018-12-25T12:43:40.487022647Z	59	PC: 12d87 \| Change current directory
2018-12-25T12:43:40.488873944Z	26	PC: 12d90 \| Set disk transfer address
2018-12-25T12:43:40.491418892Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=00000064h/0000000100d bytes. ')
2018-12-25T12:43:40.495921434Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":6,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":15504,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:43:40.600017284Z	26	PC: 12ace \| Set disk transfer address
2018-12-25T12:43:40.602447813Z	71	PC: 12d9b \| Get current directory
2018-12-25T12:43:40.605281606Z	42	PC: 12ad5 \| Get date 0x12ad5: cmp al, 0 0x12ad7: jne 0x12b1c 0x12ad9: push es 0x12ada: mov di, 0x140 0x12add: mov ax, 0xb800 0x12ae0: mov es, ax 0x12ae2: mov ah, 2 0x12ae4: mov al, 0xff 0x12ae6: mov cx, 0x4b0 0x12ae9: rep stosd dword ptr es:[di], eax 0x12aeb: mov di, 0x140 0x12aee: mov al, 0x79 0x12af0: mov cx, 7 0x12af3: mov ah, 0x82 0x12af5: stosw word ptr es:[di], ax 0x12af6: add di, 0xa0 0x12afa: loop 0x12af5 0x12afc: mov cx, 7 0x12aff: sub di, 0xa0 0x12b03: stosw word ptr es:[di], ax