Sample viewer

vx.netlux.org/Virus.DOS.Gosha.1831

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:11:31.750309291Z	243	PC: 14a14 \| UNKNOWN!
2018-12-17T22:11:31.752116819Z	53	PC: 14a20 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:11:31.753303669Z	82	PC: 14a5a \| Get DOS internal pointers (SYSVARS)
2018-12-17T22:11:31.754791023Z	74	PC: 14a86 \| Reallocate memory
2018-12-17T22:11:31.756989059Z	74	PC: 14a8a \| Reallocate memory
2018-12-17T22:11:31.758292478Z	74	PC: 14b00 \| Reallocate memory
2018-12-17T22:11:31.759477849Z	53	PC: 9eb7c \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:11:31.76124606Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00001FA4h/0000008100d bytes. ')
2018-12-17T22:11:31.766568121Z	48	PC: 12a8f \| Get DOS version
2018-12-17T22:11:31.767717709Z	42	PC: 9e8f9 \| Get date 0x9e8f9: cmp dh, 3 0x9e8fc: jne 0x9e905 0x9e8fe: cmp dl, 4 0x9e901: jne 0x9e94a 0x9e903: jmp 0x9e90f 0x9e905: cmp dh, 0xb 0x9e908: jne 0x9e94a 0x9e90a: cmp dl, 7 0x9e90d: jne 0x9e94a 0x9e90f: mov ah, 0x19 0x9e911: int 0x21 0x9e913: cmp al, 2 0x9e915: jb 0x9e91c 0x9e917: mov dx, 0x180 0x9e91a: jmp 0x9e920 0x9e91c: mov dl, al 0x9e91e: xor dh, dh 0x9e920: call 0x9e923 0x9e923: pop bx 0x9e924: sub bx, 0xfaf0
2018-12-17T22:11:31.77554034Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T22:11:31.782707452Z	93	PC: 12afe \| File sharing functions
2018-12-17T22:11:31.784473232Z	9	PC: 12a86 \| Display string (String= 'Size change=0727h/01831d. ')
2018-12-17T22:11:31.798758276Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":3,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2407,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:42.051514746Z	243	PC: 14a14 \| UNKNOWN!
2018-12-25T11:45:42.052670237Z	53	PC: 14a20 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:42.054682689Z	82	PC: 14a5a \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:45:42.055742579Z	74	PC: 14a86 \| Reallocate memory
2018-12-25T11:45:42.057511814Z	74	PC: 14a8a \| Reallocate memory
2018-12-25T11:45:42.059015556Z	74	PC: 14b00 \| Reallocate memory
2018-12-25T11:45:42.060396399Z	53	PC: 9eb8c \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:42.062130515Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00001FA4h/0000008100d bytes. ')
2018-12-25T11:45:42.070796162Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:45:42.072077817Z	42	PC: 9e909 \| Get date 0x9e909: cmp dh, 3 0x9e90c: jne 0x9e915 0x9e90e: cmp dl, 4 0x9e911: jne 0x9e95a 0x9e913: jmp 0x9e91f 0x9e915: cmp dh, 0xb 0x9e918: jne 0x9e95a 0x9e91a: cmp dl, 7 0x9e91d: jne 0x9e95a 0x9e91f: mov ah, 0x19 0x9e921: int 0x21 0x9e923: cmp al, 2 0x9e925: jb 0x9e92c 0x9e927: mov dx, 0x180 0x9e92a: jmp 0x9e930 0x9e92c: mov dl, al 0x9e92e: xor dh, dh 0x9e930: call 0x9e933 0x9e933: pop bx 0x9e934: sub bx, 0xfaf0
2018-12-25T11:45:42.074323478Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:45:42.081713803Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:45:42.083599711Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:45:42.087977229Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":4,"Month":3,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2407,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:42.591759409Z	243	PC: 14a14 \| UNKNOWN!
2018-12-25T11:45:42.592867297Z	53	PC: 14a20 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:42.594285781Z	82	PC: 14a5a \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:45:42.595218782Z	74	PC: 14a86 \| Reallocate memory
2018-12-25T11:45:42.596804813Z	74	PC: 14a8a \| Reallocate memory
2018-12-25T11:45:42.597999671Z	74	PC: 14b00 \| Reallocate memory
2018-12-25T11:45:42.598992183Z	53	PC: 9eb8c \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:42.600187404Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00001FA4h/0000008100d bytes. ')
2018-12-25T11:45:42.603895212Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:45:42.604932816Z	42	PC: 9e909 \| Get date 0x9e909: cmp dh, 3 0x9e90c: jne 0x9e915 0x9e90e: cmp dl, 4 0x9e911: jne 0x9e95a 0x9e913: jmp 0x9e91f 0x9e915: cmp dh, 0xb 0x9e918: jne 0x9e95a 0x9e91a: cmp dl, 7 0x9e91d: jne 0x9e95a 0x9e91f: mov ah, 0x19 0x9e921: int 0x21 0x9e923: cmp al, 2 0x9e925: jb 0x9e92c 0x9e927: mov dx, 0x180 0x9e92a: jmp 0x9e930 0x9e92c: mov dl, al 0x9e92e: xor dh, dh 0x9e930: call 0x9e933 0x9e933: pop bx 0x9e934: sub bx, 0xfaf0
2018-12-25T11:45:42.60655792Z	25	PC: 9e923 \| Get default drive
2018-12-25T11:45:42.644965165Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:45:42.652339227Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:45:42.654359027Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:45:42.660165179Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2407,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:42.898565729Z	243	PC: 14a14 \| UNKNOWN!
2018-12-25T11:45:42.900552932Z	53	PC: 14a20 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:42.90200764Z	82	PC: 14a5a \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:45:42.903145835Z	74	PC: 14a86 \| Reallocate memory
2018-12-25T11:45:42.904701612Z	74	PC: 14a8a \| Reallocate memory
2018-12-25T11:45:42.906945791Z	74	PC: 14b00 \| Reallocate memory
2018-12-25T11:45:42.90855798Z	53	PC: 9eb7e \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:42.910106311Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00001FA4h/0000008100d bytes. ')
2018-12-25T11:45:42.916558984Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:45:42.917787752Z	42	PC: 9e8fb \| Get date 0x9e8fb: cmp dh, 3 0x9e8fe: jne 0x9e907 0x9e900: cmp dl, 4 0x9e903: jne 0x9e94c 0x9e905: jmp 0x9e911 0x9e907: cmp dh, 0xb 0x9e90a: jne 0x9e94c 0x9e90c: cmp dl, 7 0x9e90f: jne 0x9e94c 0x9e911: mov ah, 0x19 0x9e913: int 0x21 0x9e915: cmp al, 2 0x9e917: jb 0x9e91e 0x9e919: mov dx, 0x180 0x9e91c: jmp 0x9e922 0x9e91e: mov dl, al 0x9e920: xor dh, dh 0x9e922: call 0x9e925 0x9e925: pop bx 0x9e926: sub bx, 0xfaf0
2018-12-25T11:45:42.919997574Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:45:42.932215866Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:45:42.934254961Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:45:42.938711913Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":7,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2407,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:43.478313875Z	243	PC: 14a14 \| UNKNOWN!
2018-12-25T11:45:43.4802003Z	53	PC: 14a20 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:43.481591675Z	82	PC: 14a5a \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:45:43.482896817Z	74	PC: 14a86 \| Reallocate memory
2018-12-25T11:45:43.485871139Z	74	PC: 14a8a \| Reallocate memory
2018-12-25T11:45:43.487450257Z	74	PC: 14b00 \| Reallocate memory
2018-12-25T11:45:43.489621599Z	53	PC: 9eb7e \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:43.49172373Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00001FA4h/0000008100d bytes. ')
2018-12-25T11:45:43.49872884Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:45:43.500449951Z	42	PC: 9e8fb \| Get date 0x9e8fb: cmp dh, 3 0x9e8fe: jne 0x9e907 0x9e900: cmp dl, 4 0x9e903: jne 0x9e94c 0x9e905: jmp 0x9e911 0x9e907: cmp dh, 0xb 0x9e90a: jne 0x9e94c 0x9e90c: cmp dl, 7 0x9e90f: jne 0x9e94c 0x9e911: mov ah, 0x19 0x9e913: int 0x21 0x9e915: cmp al, 2 0x9e917: jb 0x9e91e 0x9e919: mov dx, 0x180 0x9e91c: jmp 0x9e922 0x9e91e: mov dl, al 0x9e920: xor dh, dh 0x9e922: call 0x9e925 0x9e925: pop bx 0x9e926: sub bx, 0xfaf0
2018-12-25T11:45:43.503622924Z	25	PC: 9e915 \| Get default drive
2018-12-25T11:45:43.699804817Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:45:43.707322912Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:45:43.709358923Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:45:43.714522524Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2407,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:45:43.595497759Z	243	PC: 14a14 \| UNKNOWN!
2018-12-25T11:45:43.604759593Z	53	PC: 14a20 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:43.605942333Z	82	PC: 14a5a \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:45:43.606995012Z	74	PC: 14a86 \| Reallocate memory
2018-12-25T11:45:43.609256911Z	74	PC: 14a8a \| Reallocate memory
2018-12-25T11:45:43.610588326Z	74	PC: 14b00 \| Reallocate memory
2018-12-25T11:45:43.611800322Z	53	PC: 9eb7d \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:45:43.61565909Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00001FA4h/0000008100d bytes. ')
2018-12-25T11:45:43.620940356Z	48	PC: 12a8f \| Get DOS version
2018-12-25T11:45:43.622071895Z	42	PC: 9e8fa \| Get date 0x9e8fa: cmp dh, 3 0x9e8fd: jne 0x9e906 0x9e8ff: cmp dl, 4 0x9e902: jne 0x9e94b 0x9e904: jmp 0x9e910 0x9e906: cmp dh, 0xb 0x9e909: jne 0x9e94b 0x9e90b: cmp dl, 7 0x9e90e: jne 0x9e94b 0x9e910: mov ah, 0x19 0x9e912: int 0x21 0x9e914: cmp al, 2 0x9e916: jb 0x9e91d 0x9e918: mov dx, 0x180 0x9e91b: jmp 0x9e921 0x9e91d: mov dl, al 0x9e91f: xor dh, dh 0x9e921: call 0x9e924 0x9e924: pop bx 0x9e925: sub bx, 0xfaf0
2018-12-25T11:45:43.624295977Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T11:45:43.631036276Z	93	PC: 12afe \| File sharing functions
2018-12-25T11:45:43.632792628Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T11:45:43.636800201Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')