Sample viewer

vx.netlux.org/Virus.DOS.Kitiara.288

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:05:18.1112584Z	108	PC: 12a45 \| Extended open/create file
2018-12-17T22:05:18.113457032Z	42	PC: 12a52 \| Get date 0x12a52: cmp dh, 9 0x12a55: jne 0x12a5f 0x12a57: cmp dl, 1 0x12a5a: jne 0x12a5f 0x12a5c: jmp 0x12a65 0x12a5e: nop 0x12a5f: call 0x12b16 0x12a62: jmp 0x12ade 0x12a64: nop 0x12a65: mov ah, 0x4e 0x12a67: mov dx, 0x21c 0x12a6a: mov cl, 0x20 0x12a6c: int 0x21 0x12a6e: jb 0x12a8a 0x12a70: mov ax, 0x3d01 0x12a73: mov dx, 0x9e 0x12a76: int 0x21 0x12a78: xchg ax, bx 0x12a79: mov dx, 0x1de 0x12a7c: mov cx, 0x25
2018-12-17T22:05:18.115600011Z	9	PC: 12b1d \| Display string (String= 'Bad command or filename ')
2018-12-17T22:05:18.120156359Z	53	PC: 12ae3 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:05:18.122354502Z	37	PC: 12af5 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:05:18.123653341Z	49	PC: 12afc \| Terminate and stay resident (Return code = '0' \| Memory size = '34')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1710,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:44:05.622082026Z	108	PC: 12a45 \| Extended open/create file
2018-12-25T11:44:05.624088977Z	42	PC: 12a52 \| Get date 0x12a52: cmp dh, 9 0x12a55: jne 0x12a5f 0x12a57: cmp dl, 1 0x12a5a: jne 0x12a5f 0x12a5c: jmp 0x12a65 0x12a5e: nop 0x12a5f: call 0x12b16 0x12a62: jmp 0x12ade 0x12a64: nop 0x12a65: mov ah, 0x4e 0x12a67: mov dx, 0x21c 0x12a6a: mov cl, 0x20 0x12a6c: int 0x21 0x12a6e: jb 0x12a8a 0x12a70: mov ax, 0x3d01 0x12a73: mov dx, 0x9e 0x12a76: int 0x21 0x12a78: xchg ax, bx 0x12a79: mov dx, 0x1de 0x12a7c: mov cx, 0x25
2018-12-25T11:44:05.626281826Z	9	PC: 12b1d \| Display string (String= 'Bad command or filename ')
2018-12-25T11:44:05.630827184Z	53	PC: 12ae3 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:44:05.632815828Z	37	PC: 12af5 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:44:05.633936023Z	49	PC: 12afc \| Terminate and stay resident (Return code = '0' \| Memory size = '34')

{"DateBased":true,"Day":1,"Month":9,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1710,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:44:06.512843205Z	108	PC: 12a45 \| Extended open/create file
2018-12-25T11:44:06.516157315Z	42	PC: 12a52 \| Get date 0x12a52: cmp dh, 9 0x12a55: jne 0x12a5f 0x12a57: cmp dl, 1 0x12a5a: jne 0x12a5f 0x12a5c: jmp 0x12a65 0x12a5e: nop 0x12a5f: call 0x12b16 0x12a62: jmp 0x12ade 0x12a64: nop 0x12a65: mov ah, 0x4e 0x12a67: mov dx, 0x21c 0x12a6a: mov cl, 0x20 0x12a6c: int 0x21 0x12a6e: jb 0x12a8a 0x12a70: mov ax, 0x3d01 0x12a73: mov dx, 0x9e 0x12a76: int 0x21 0x12a78: xchg ax, bx 0x12a79: mov dx, 0x1de 0x12a7c: mov cx, 0x25
2018-12-25T11:44:06.519742562Z	78	PC: 12a6e \| Find first file
2018-12-25T11:44:06.526806385Z	61	PC: 12a78 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:44:06.534432316Z	64	PC: 12b15 \| Write file or device (Write 37 bytes on handle 5)
2018-12-25T11:44:06.544685537Z	62	PC: 12a86 \| Close file
2018-12-25T11:44:06.564296052Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.567568245Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.57651956Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.587060893Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.60388593Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.610043632Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.62450007Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.632765707Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.642368092Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.645478043Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.652820017Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.660466079Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.669497364Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.673903479Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.681525195Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.694169148Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.702758459Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.705918957Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.714418016Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.722353576Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.730143902Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.733825245Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.738999813Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.74380604Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.749591203Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.75195683Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.760428675Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.765622824Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.779554052Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.783492168Z	61	PC: 12a78 \| Open file (See above)
2018-12-25T11:44:06.791162179Z	64	PC: 12b15 \| Write file or device (See above)
2018-12-25T11:44:06.799550998Z	62	PC: 12a86 \| Close file (See above)
2018-12-25T11:44:06.809186621Z	79	PC: 12a6e \| Find next file (See above)
2018-12-25T11:44:06.811872661Z	9	PC: 12b1d \| Display string (String= 'Kitiara 1.0 Coder: The Exectioner Bad command or filename ')
2018-12-25T11:44:06.821415638Z	53	PC: 12ae3 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:44:06.823346313Z	37	PC: 12af5 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:44:06.825140331Z	49	PC: 12afc \| Terminate and stay resident (Return code = '0' \| Memory size = '34')

{"DateBased":true,"Day":2,"Month":9,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":1710,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:44:07.240548984Z	108	PC: 12a45 \| Extended open/create file
2018-12-25T11:44:07.241966328Z	42	PC: 12a52 \| Get date 0x12a52: cmp dh, 9 0x12a55: jne 0x12a5f 0x12a57: cmp dl, 1 0x12a5a: jne 0x12a5f 0x12a5c: jmp 0x12a65 0x12a5e: nop 0x12a5f: call 0x12b16 0x12a62: jmp 0x12ade 0x12a64: nop 0x12a65: mov ah, 0x4e 0x12a67: mov dx, 0x21c 0x12a6a: mov cl, 0x20 0x12a6c: int 0x21 0x12a6e: jb 0x12a8a 0x12a70: mov ax, 0x3d01 0x12a73: mov dx, 0x9e 0x12a76: int 0x21 0x12a78: xchg ax, bx 0x12a79: mov dx, 0x1de 0x12a7c: mov cx, 0x25
2018-12-25T11:44:07.244683863Z	9	PC: 12b1d \| Display string (String= 'Bad command or filename ')
2018-12-25T11:44:07.24891018Z	53	PC: 12ae3 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:44:07.251198752Z	37	PC: 12af5 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:44:07.253768837Z	49	PC: 12afc \| Terminate and stay resident (Return code = '0' \| Memory size = '34')