Sample viewer

vx.netlux.org/Trojan.DOS.Upgrader

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:15:28.1989844Z	9	PC: 12aef \| Display string (String= 'Upgrade Commander v2.9 Copyright (c) 1994 Infiltrator ')
2018-12-17T23:15:28.201928717Z	67	PC: 12af7 \| Get or set file attributes
2018-12-17T23:15:28.205270132Z	67	PC: 12b04 \| Get or set file attributes
2018-12-17T23:15:30.400452527Z	61	PC: 12b09 \| Open file (Filename = 'c:\command.com')
2018-12-17T23:15:30.408574218Z	87	PC: 12b15 \| Get or set file date and time
2018-12-17T23:15:30.41038178Z	66	PC: 12b2a \| Move file pointer
2018-12-17T23:15:30.412199356Z	66	PC: 12b3e \| Move file pointer
2018-12-17T23:15:30.414149287Z	63	PC: 12b48 \| Read file or device (Read 10 bytes on handle 5)
2018-12-17T23:15:30.417614013Z	66	PC: 12b6c \| Move file pointer
2018-12-17T23:15:30.419297009Z	63	PC: 12b76 \| Read file or device (Read 2 bytes on handle 5)
2018-12-17T23:15:30.422521406Z	66	PC: 12b8e \| Move file pointer
2018-12-17T23:15:30.424694307Z	64	PC: 12b9d \| Write file or device (Write 2 bytes on handle 5)
2018-12-17T23:15:30.428098029Z	42	PC: 12ba1 \| Get date 0x12ba1: add dl, 7 0x12ba4: cmp dl, 0x1f 0x12ba7: jbe 0x12bb6 0x12ba9: sub dl, 0x1f 0x12bac: inc dh 0x12bae: cmp dh, 0xc 0x12bb1: jbe 0x12bb6 0x12bb3: inc cx 0x12bb4: mov dh, 1 0x12bb6: mov word ptr [0x2a3], cx 0x12bba: mov byte ptr [0x2a5], dh 0x12bbe: mov byte ptr [0x2a6], dl 0x12bc2: mov ax, 0x4200 0x12bc5: mov cx, 0 0x12bc8: add word ptr [0x179], 3 0x12bcd: mov dx, word ptr [0x179] 0x12bd1: int 0x21 0x12bd3: mov ah, 0x40 0x12bd5: mov cx, 0xc2 0x12bd8: mov dx, 0x2a0
2018-12-17T23:15:30.431057048Z	66	PC: 12bd3 \| Move file pointer
2018-12-17T23:15:30.434312878Z	64	PC: 12bdd \| Write file or device (Write 194 bytes on handle 5)
2018-12-17T23:15:30.437607512Z	9	PC: 12ca9 \| Display string (String= ' Command.com successfully upgraded! ')
2018-12-17T23:15:30.443542003Z	87	PC: 12cb6 \| Get or set file date and time
2018-12-17T23:15:30.445941657Z	62	PC: 12cbe \| Close file
2018-12-17T23:15:30.491527618Z	67	PC: 12cca \| Get or set file attributes
2018-12-17T23:15:30.570336963Z	76	PC: 12ccf \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2663,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:46:08.381031031Z	9	PC: 12aef \| Display string (String= 'Upgrade Commander v2.9 Copyright (c) 1994 Infiltrator ')
2018-12-25T11:46:08.388392473Z	67	PC: 12af7 \| Get or set file attributes
2018-12-25T11:46:08.393654609Z	67	PC: 12b04 \| Get or set file attributes
2018-12-25T11:46:09.394653459Z	61	PC: 12b09 \| Open file (Filename = 'c:\command.com')
2018-12-25T11:46:09.402343108Z	87	PC: 12b15 \| Get or set file date and time
2018-12-25T11:46:09.403891376Z	66	PC: 12b2a \| Move file pointer
2018-12-25T11:46:09.406269248Z	66	PC: 12b3e \| Move file pointer
2018-12-25T11:46:09.408907732Z	63	PC: 12b48 \| Read file or device (Read 10 bytes on handle 5)
2018-12-25T11:46:09.412250685Z	66	PC: 12b6c \| Move file pointer
2018-12-25T11:46:09.414307157Z	63	PC: 12b76 \| Read file or device (Read 2 bytes on handle 5)
2018-12-25T11:46:09.417374042Z	66	PC: 12b8e \| Move file pointer
2018-12-25T11:46:09.419576841Z	64	PC: 12b9d \| Write file or device (Write 2 bytes on handle 5)
2018-12-25T11:46:09.42230604Z	42	PC: 12ba1 \| Get date 0x12ba1: add dl, 7 0x12ba4: cmp dl, 0x1f 0x12ba7: jbe 0x12bb6 0x12ba9: sub dl, 0x1f 0x12bac: inc dh 0x12bae: cmp dh, 0xc 0x12bb1: jbe 0x12bb6 0x12bb3: inc cx 0x12bb4: mov dh, 1 0x12bb6: mov word ptr [0x2a3], cx 0x12bba: mov byte ptr [0x2a5], dh 0x12bbe: mov byte ptr [0x2a6], dl 0x12bc2: mov ax, 0x4200 0x12bc5: mov cx, 0 0x12bc8: add word ptr [0x179], 3 0x12bcd: mov dx, word ptr [0x179] 0x12bd1: int 0x21 0x12bd3: mov ah, 0x40 0x12bd5: mov cx, 0xc2 0x12bd8: mov dx, 0x2a0
2018-12-25T11:46:09.424384114Z	66	PC: 12bd3 \| Move file pointer
2018-12-25T11:46:09.426359251Z	64	PC: 12bdd \| Write file or device (Write 194 bytes on handle 5)
2018-12-25T11:46:09.429284333Z	9	PC: 12ca9 \| Display string (String= ' Command.com successfully upgraded! ')
2018-12-25T11:46:09.433158097Z	87	PC: 12cb6 \| Get or set file date and time
2018-12-25T11:46:09.435577647Z	62	PC: 12cbe \| Close file
2018-12-25T11:46:09.442184238Z	67	PC: 12cca \| Get or set file attributes
2018-12-25T11:46:09.452393907Z	76	PC: 12ccf \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2663,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:46:08.645287872Z	9	PC: 12aef \| Display string (String= 'Upgrade Commander v2.9 Copyright (c) 1994 Infiltrator ')
2018-12-25T11:46:08.651850754Z	67	PC: 12af7 \| Get or set file attributes
2018-12-25T11:46:08.665693214Z	67	PC: 12b04 \| Get or set file attributes
2018-12-25T11:46:09.008426204Z	61	PC: 12b09 \| Open file (Filename = 'c:\command.com')
2018-12-25T11:46:09.017288621Z	87	PC: 12b15 \| Get or set file date and time
2018-12-25T11:46:09.019455592Z	66	PC: 12b2a \| Move file pointer
2018-12-25T11:46:09.021074284Z	66	PC: 12b3e \| Move file pointer
2018-12-25T11:46:09.022564604Z	63	PC: 12b48 \| Read file or device (Read 10 bytes on handle 5)
2018-12-25T11:46:09.026821481Z	66	PC: 12b6c \| Move file pointer
2018-12-25T11:46:09.028237613Z	63	PC: 12b76 \| Read file or device (Read 2 bytes on handle 5)
2018-12-25T11:46:09.031131443Z	66	PC: 12b8e \| Move file pointer
2018-12-25T11:46:09.033695612Z	64	PC: 12b9d \| Write file or device (Write 2 bytes on handle 5)
2018-12-25T11:46:09.037450881Z	42	PC: 12ba1 \| Get date 0x12ba1: add dl, 7 0x12ba4: cmp dl, 0x1f 0x12ba7: jbe 0x12bb6 0x12ba9: sub dl, 0x1f 0x12bac: inc dh 0x12bae: cmp dh, 0xc 0x12bb1: jbe 0x12bb6 0x12bb3: inc cx 0x12bb4: mov dh, 1 0x12bb6: mov word ptr [0x2a3], cx 0x12bba: mov byte ptr [0x2a5], dh 0x12bbe: mov byte ptr [0x2a6], dl 0x12bc2: mov ax, 0x4200 0x12bc5: mov cx, 0 0x12bc8: add word ptr [0x179], 3 0x12bcd: mov dx, word ptr [0x179] 0x12bd1: int 0x21 0x12bd3: mov ah, 0x40 0x12bd5: mov cx, 0xc2 0x12bd8: mov dx, 0x2a0
2018-12-25T11:46:09.039852133Z	66	PC: 12bd3 \| Move file pointer
2018-12-25T11:46:09.043191548Z	64	PC: 12bdd \| Write file or device (Write 194 bytes on handle 5)
2018-12-25T11:46:09.047161123Z	9	PC: 12ca9 \| Display string (String= ' Command.com successfully upgraded! ')
2018-12-25T11:46:09.052241498Z	87	PC: 12cb6 \| Get or set file date and time
2018-12-25T11:46:09.054615983Z	62	PC: 12cbe \| Close file
2018-12-25T11:46:09.069677597Z	67	PC: 12cca \| Get or set file attributes
2018-12-25T11:46:09.0805988Z	76	PC: 12ccf \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":24,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2663,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:46:09.596314689Z	9	PC: 12aef \| Display string (String= 'Upgrade Commander v2.9 Copyright (c) 1994 Infiltrator ')
2018-12-25T11:46:09.603451438Z	67	PC: 12af7 \| Get or set file attributes
2018-12-25T11:46:09.610251674Z	67	PC: 12b04 \| Get or set file attributes
2018-12-25T11:46:09.94861774Z	61	PC: 12b09 \| Open file (Filename = 'c:\command.com')
2018-12-25T11:46:09.966634482Z	87	PC: 12b15 \| Get or set file date and time
2018-12-25T11:46:09.969466903Z	66	PC: 12b2a \| Move file pointer
2018-12-25T11:46:09.971452422Z	66	PC: 12b3e \| Move file pointer
2018-12-25T11:46:09.973356028Z	63	PC: 12b48 \| Read file or device (Read 10 bytes on handle 5)
2018-12-25T11:46:09.97817066Z	66	PC: 12b6c \| Move file pointer
2018-12-25T11:46:09.980867971Z	63	PC: 12b76 \| Read file or device (Read 2 bytes on handle 5)
2018-12-25T11:46:09.984102481Z	66	PC: 12b8e \| Move file pointer
2018-12-25T11:46:09.986620431Z	64	PC: 12b9d \| Write file or device (Write 2 bytes on handle 5)
2018-12-25T11:46:09.989955828Z	42	PC: 12ba1 \| Get date 0x12ba1: add dl, 7 0x12ba4: cmp dl, 0x1f 0x12ba7: jbe 0x12bb6 0x12ba9: sub dl, 0x1f 0x12bac: inc dh 0x12bae: cmp dh, 0xc 0x12bb1: jbe 0x12bb6 0x12bb3: inc cx 0x12bb4: mov dh, 1 0x12bb6: mov word ptr [0x2a3], cx 0x12bba: mov byte ptr [0x2a5], dh 0x12bbe: mov byte ptr [0x2a6], dl 0x12bc2: mov ax, 0x4200 0x12bc5: mov cx, 0 0x12bc8: add word ptr [0x179], 3 0x12bcd: mov dx, word ptr [0x179] 0x12bd1: int 0x21 0x12bd3: mov ah, 0x40 0x12bd5: mov cx, 0xc2 0x12bd8: mov dx, 0x2a0
2018-12-25T11:46:09.992757229Z	66	PC: 12bd3 \| Move file pointer
2018-12-25T11:46:10.006452466Z	64	PC: 12bdd \| Write file or device (Write 194 bytes on handle 5)
2018-12-25T11:46:10.0109104Z	9	PC: 12ca9 \| Display string (String= ' Command.com successfully upgraded! ')
2018-12-25T11:46:10.01927Z	87	PC: 12cb6 \| Get or set file date and time
2018-12-25T11:46:10.020961218Z	62	PC: 12cbe \| Close file
2018-12-25T11:46:10.028864673Z	67	PC: 12cca \| Get or set file attributes
2018-12-25T11:46:10.038525937Z	76	PC: 12ccf \| Terminate with return code (Return code = '0')