Sample viewer

vx.netlux.org/Virus.DOS.Onkelz.527.b

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:08:14.534302446Z	26	PC: 1329e \| Set disk transfer address
2018-12-17T22:08:14.535926408Z	25	PC: 132ac \| Get default drive
2018-12-17T22:08:14.536902692Z	14	PC: 132b6 \| Set default drive (Drive = 'D')
2018-12-17T22:08:14.538033387Z	78	PC: 132c0 \| Find first file
2018-12-17T22:08:14.544227251Z	61	PC: 132cd \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:08:14.550606762Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.551835827Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.554123804Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.556506735Z	61	PC: 132cd \| Open file (Filename = 'PRINT.COM')
2018-12-17T22:08:14.562727798Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.569500624Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.571215156Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.573583707Z	61	PC: 132cd \| Open file (Filename = 'HELLO.COM')
2018-12-17T22:08:14.58029868Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.581868614Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.583695542Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.586663716Z	61	PC: 132cd \| Open file (Filename = 'PHANG.COM')
2018-12-17T22:08:14.598651048Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.600356964Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.602435154Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.605304033Z	61	PC: 132cd \| Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:08:14.612198617Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.613467009Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.616352071Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.61887372Z	61	PC: 132cd \| Open file (Filename = 'MANDEL.COM')
2018-12-17T22:08:14.625118486Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.626811756Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.628464495Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.630842253Z	61	PC: 132cd \| Open file (Filename = 'PAH.COM')
2018-12-17T22:08:14.637587459Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.638918207Z	62	PC: 132f4 \| Close file
2018-12-17T22:08:14.640570181Z	79	PC: 132c0 \| Find next file
2018-12-17T22:08:14.64412861Z	61	PC: 132cd \| Open file (Filename = 'TEST.COM')
2018-12-17T22:08:14.650330263Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.651602081Z	87	PC: 132e4 \| Get or set file date and time
2018-12-17T22:08:14.65380314Z	44	PC: 13304 \| Get time 0x13304: or dl, dl 0x13306: je 0x13300 0x13308: mov byte ptr [bp + 0x116], dl 0x1330c: mov ax, 0x4200 0x1330f: call 0x13391 0x13312: mov ah, 0x3f 0x13314: lea dx, word ptr [bp + 0x22c] 0x13318: mov cx, 3 0x1331b: int 0x21 0x1331d: mov ax, 0x4202 0x13320: call 0x13391 0x13323: sub ax, 3 0x13326: mov word ptr cs:[bp + 0x22a], ax 0x1332b: lea si, word ptr [bp + 0x105] 0x1332f: mov di, 0xfcbc 0x13332: mov cx, 0x20f 0x13335: cld 0x13336: rep movsb byte ptr es:[di], byte ptr [si] 0x13338: mov si, 0xfcdf 0x1333b: call 0x23287
2018-12-17T22:08:14.655874492Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.65716021Z	63	PC: 1331d \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:08:14.664695802Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.666067731Z	64	PC: 13348 \| Write file or device (Write 527 bytes on handle 5)
2018-12-17T22:08:14.680431227Z	66	PC: 13397 \| Move file pointer
2018-12-17T22:08:14.690451521Z	64	PC: 13359 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:08:14.693391536Z	87	PC: 13360 \| Get or set file date and time
2018-12-17T22:08:14.694805188Z	62	PC: 13364 \| Close file
2018-12-17T22:08:14.702731775Z	42	PC: 13368 \| Get date 0x13368: cmp dh, dl 0x1336a: jne 0x1337d 0x1336c: mov ah, 0x2c 0x1336e: int 0x21 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x235] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x314] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx
2018-12-17T22:08:14.704774533Z	26	PC: 13384 \| Set disk transfer address
2018-12-17T22:08:14.705794735Z	14	PC: 1338c \| Set default drive (Drive = 'A')
2018-12-17T22:08:14.707279235Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-17T22:08:14.712738765Z	48	PC: 12a8f \| Get DOS version
2018-12-17T22:08:14.713867259Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T22:08:14.720799808Z	93	PC: 12afe \| File sharing functions
2018-12-17T22:08:14.722547288Z	9	PC: 12a86 \| Display string (String= 'Size change=041Eh/01054d. ')
2018-12-17T22:08:14.726370149Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2038,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:44:48.318161376Z	26	PC: 1329e \| Set disk transfer address
2018-12-25T11:44:48.320543858Z	25	PC: 132ac \| Get default drive
2018-12-25T11:44:48.322130476Z	14	PC: 132b6 \| Set default drive (Drive = 'D')
2018-12-25T11:44:48.323681783Z	78	PC: 132c0 \| Find first file
2018-12-25T11:44:48.330627545Z	61	PC: 132cd \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:44:48.338092747Z	66	PC: 13397 \| Move file pointer
2018-12-25T11:44:48.339671753Z	62	PC: 132f4 \| Close file
2018-12-25T11:44:48.341895229Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.344463282Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.355249311Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.357253197Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.359241733Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.361090927Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.365377613Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.367113268Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.368396385Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.370355015Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.375027812Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.37628458Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.37788685Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.381710781Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.388049872Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.389484596Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.39187997Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.394448865Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.400799449Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.402970788Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.404978053Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.407770009Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.415822245Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.417165935Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.418825761Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.421382866Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.430025391Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.431312958Z	87	PC: 132e4 \| Get or set file date and time
2018-12-25T11:44:48.433079569Z	44	PC: 13304 \| Get time 0x13304: or dl, dl 0x13306: je 0x13300 0x13308: mov byte ptr [bp + 0x116], dl 0x1330c: mov ax, 0x4200 0x1330f: call 0x13391 0x13312: mov ah, 0x3f 0x13314: lea dx, word ptr [bp + 0x22c] 0x13318: mov cx, 3 0x1331b: int 0x21 0x1331d: mov ax, 0x4202 0x13320: call 0x13391 0x13323: sub ax, 3 0x13326: mov word ptr cs:[bp + 0x22a], ax 0x1332b: lea si, word ptr [bp + 0x105] 0x1332f: mov di, 0xfcbc 0x13332: mov cx, 0x20f 0x13335: cld 0x13336: rep movsb byte ptr es:[di], byte ptr [si] 0x13338: mov si, 0xfcdf 0x1333b: call 0x23287
2018-12-25T11:44:48.437460703Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.438793507Z	63	PC: 1331d \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:44:48.441277963Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.443995806Z	64	PC: 13348 \| Write file or device (Write 527 bytes on handle 5)
2018-12-25T11:44:48.46468098Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.465958118Z	64	PC: 13359 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:44:48.469605941Z	87	PC: 13360 \| Get or set file date and time
2018-12-25T11:44:48.471339359Z	62	PC: 13364 \| Close file
2018-12-25T11:44:48.480913525Z	42	PC: 13368 \| Get date 0x13368: cmp dh, dl 0x1336a: jne 0x1337d 0x1336c: mov ah, 0x2c 0x1336e: int 0x21 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x235] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x314] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx
2018-12-25T11:44:48.483920787Z	44	PC: 13370 \| Get time 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x235] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x314] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx 0x13395: int 0x21 0x13397: ret 0x13398: jmp 0x13ddb 0x1339b: jmp 0x13bcf
2018-12-25T11:44:48.486124026Z	26	PC: 13384 \| Set disk transfer address
2018-12-25T11:44:48.487308557Z	14	PC: 1338c \| Set default drive (Drive = 'A')
2018-12-25T11:44:48.490669082Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T11:44:48.49699216Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:44:48.49824772Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:44:48.505296317Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:44:48.507207574Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:44:48.511607589Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":2,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2038,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:44:48.356876898Z	26	PC: 1329e \| Set disk transfer address
2018-12-25T11:44:48.359196695Z	25	PC: 132ac \| Get default drive
2018-12-25T11:44:48.360367048Z	14	PC: 132b6 \| Set default drive (Drive = 'D')
2018-12-25T11:44:48.361751924Z	78	PC: 132c0 \| Find first file
2018-12-25T11:44:48.368321074Z	61	PC: 132cd \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:44:48.375708203Z	66	PC: 13397 \| Move file pointer
2018-12-25T11:44:48.376945666Z	62	PC: 132f4 \| Close file
2018-12-25T11:44:48.378874581Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.382299784Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.388725664Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.390070103Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.392829223Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.396062937Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.402596159Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.405162344Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.407077222Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.409810215Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.417661468Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.419083209Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.42072508Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.423950818Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.430286279Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.431596649Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.43396191Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.436653247Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.443738233Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.445593023Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.447302185Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.45014912Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.457098933Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.45885447Z	62	PC: 132f4 \| Close file (See above)
2018-12-25T11:44:48.46072159Z	79	PC: 132c0 \| Find next file (See above)
2018-12-25T11:44:48.463786354Z	61	PC: 132cd \| Open file (See above)
2018-12-25T11:44:48.470772088Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.472369718Z	87	PC: 132e4 \| Get or set file date and time
2018-12-25T11:44:48.474146592Z	44	PC: 13304 \| Get time 0x13304: or dl, dl 0x13306: je 0x13300 0x13308: mov byte ptr [bp + 0x116], dl 0x1330c: mov ax, 0x4200 0x1330f: call 0x13391 0x13312: mov ah, 0x3f 0x13314: lea dx, word ptr [bp + 0x22c] 0x13318: mov cx, 3 0x1331b: int 0x21 0x1331d: mov ax, 0x4202 0x13320: call 0x13391 0x13323: sub ax, 3 0x13326: mov word ptr cs:[bp + 0x22a], ax 0x1332b: lea si, word ptr [bp + 0x105] 0x1332f: mov di, 0xfcbc 0x13332: mov cx, 0x20f 0x13335: cld 0x13336: rep movsb byte ptr es:[di], byte ptr [si] 0x13338: mov si, 0xfcdf 0x1333b: call 0x23287
2018-12-25T11:44:48.485723044Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.487086765Z	63	PC: 1331d \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:44:48.491216134Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.492679931Z	64	PC: 13348 \| Write file or device (Write 527 bytes on handle 5)
2018-12-25T11:44:48.508405279Z	66	PC: 13397 \| Move file pointer (See above)
2018-12-25T11:44:48.509943626Z	64	PC: 13359 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:44:48.513883071Z	87	PC: 13360 \| Get or set file date and time
2018-12-25T11:44:48.515333158Z	62	PC: 13364 \| Close file
2018-12-25T11:44:48.522714823Z	42	PC: 13368 \| Get date 0x13368: cmp dh, dl 0x1336a: jne 0x1337d 0x1336c: mov ah, 0x2c 0x1336e: int 0x21 0x13370: and dh, 7 0x13373: jne 0x1337d 0x13375: mov ah, 9 0x13377: lea dx, word ptr [bp + 0x235] 0x1337b: int 0x21 0x1337d: mov ah, 0x1a 0x1337f: mov dx, 0x80 0x13382: int 0x21 0x13384: mov ah, 0xe 0x13386: mov dl, byte ptr [bp + 0x314] 0x1338a: int 0x21 0x1338c: mov ax, 0x100 0x1338f: push ax 0x13390: ret 0x13391: xor cx, cx 0x13393: xor dx, dx
2018-12-25T11:44:48.525094785Z	26	PC: 13384 \| Set disk transfer address
2018-12-25T11:44:48.525997173Z	14	PC: 1338c \| Set default drive (Drive = 'A')
2018-12-25T11:44:48.527097581Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T11:44:48.533126256Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:44:48.534883757Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:44:48.541536578Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:44:48.544246506Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:44:48.548447823Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')