Sample viewer

vx.netlux.org/Virus.DOS.Galeocerdo.600

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:15:37.950982376Z	26	PC: 12a4c \| Set disk transfer address
2018-12-17T22:15:37.952315657Z	53	PC: 12a5a \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:15:37.95387847Z	37	PC: 12a70 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:15:37.95561991Z	25	PC: 12a96 \| Get default drive
2018-12-17T22:15:37.956620873Z	78	PC: 12ae7 \| Find first file
2018-12-17T22:15:37.962823753Z	67	PC: 12b36 \| Get or set file attributes
2018-12-17T22:15:37.966461048Z	67	PC: 12b44 \| Get or set file attributes
2018-12-17T22:15:37.979409996Z	61	PC: 12b4c \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:15:37.984141993Z	63	PC: 12b68 \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:15:37.988352445Z	66	PC: 12b92 \| Move file pointer
2018-12-17T22:15:37.989629426Z	63	PC: 12ba4 \| Read file or device (Read 2 bytes on handle 5)
2018-12-17T22:15:38.005552016Z	64	PC: 12bc2 \| Write file or device (Write 600 bytes on handle 5)
2018-12-17T22:15:38.010591932Z	66	PC: 12bd1 \| Move file pointer
2018-12-17T22:15:38.01156064Z	64	PC: 12be3 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:15:38.015859906Z	87	PC: 12c49 \| Get or set file date and time
2018-12-17T22:15:38.017926323Z	62	PC: 12c53 \| Close file
2018-12-17T22:15:38.026892786Z	67	PC: 12c61 \| Get or set file attributes
2018-12-17T22:15:38.037622239Z	26	PC: 12bf3 \| Set disk transfer address
2018-12-17T22:15:38.038951005Z	37	PC: 12c04 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:15:38.040429396Z	42	PC: 12c09 \| Get date 0x12c09: cmp al, 4 0x12c0b: jne 0x12c1a 0x12c0d: push es 0x12c0e: xor ax, ax 0x12c10: mov es, ax 0x12c12: mov word ptr es:[0x44e], 0xfa0 0x12c19: pop es 0x12c1a: add cx, 0x64 0x12c1d: mov ah, 0x2b 0x12c1f: int 0x21 0x12c21: pop ax 0x12c22: mov bx, 0x100 0x12c25: push bx 0x12c26: xor bx, bx 0x12c28: xor dx, dx 0x12c2a: xor cx, cx 0x12c2c: xor si, si 0x12c2e: xor di, di 0x12c30: xor bp, bp 0x12c32: ret
2018-12-17T22:15:38.043815648Z	43	PC: 12c21 \| Set date

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2849,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:47:24.112854209Z	26	PC: 12a4c \| Set disk transfer address
2018-12-25T11:47:24.114220512Z	53	PC: 12a5a \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:47:24.115236619Z	37	PC: 12a70 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:47:24.116159014Z	25	PC: 12a96 \| Get default drive
2018-12-25T11:47:24.117444721Z	78	PC: 12ae7 \| Find first file
2018-12-25T11:47:24.121090209Z	67	PC: 12b36 \| Get or set file attributes
2018-12-25T11:47:24.124405656Z	67	PC: 12b44 \| Get or set file attributes
2018-12-25T11:47:24.138011264Z	61	PC: 12b4c \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:47:24.155791136Z	63	PC: 12b68 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:47:24.161316788Z	66	PC: 12b92 \| Move file pointer
2018-12-25T11:47:24.16244266Z	63	PC: 12ba4 \| Read file or device (Read 2 bytes on handle 5)
2018-12-25T11:47:24.167293139Z	64	PC: 12bc2 \| Write file or device (Write 600 bytes on handle 5)
2018-12-25T11:47:24.17483758Z	66	PC: 12bd1 \| Move file pointer
2018-12-25T11:47:24.17608109Z	64	PC: 12be3 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:47:24.182465149Z	87	PC: 12c49 \| Get or set file date and time
2018-12-25T11:47:24.183721532Z	62	PC: 12c53 \| Close file
2018-12-25T11:47:24.190984917Z	67	PC: 12c61 \| Get or set file attributes
2018-12-25T11:47:24.201146505Z	26	PC: 12bf3 \| Set disk transfer address
2018-12-25T11:47:24.202109558Z	37	PC: 12c04 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:47:24.203048906Z	42	PC: 12c09 \| Get date 0x12c09: cmp al, 4 0x12c0b: jne 0x12c1a 0x12c0d: push es 0x12c0e: xor ax, ax 0x12c10: mov es, ax 0x12c12: mov word ptr es:[0x44e], 0xfa0 0x12c19: pop es 0x12c1a: add cx, 0x64 0x12c1d: mov ah, 0x2b 0x12c1f: int 0x21 0x12c21: pop ax 0x12c22: mov bx, 0x100 0x12c25: push bx 0x12c26: xor bx, bx 0x12c28: xor dx, dx 0x12c2a: xor cx, cx 0x12c2c: xor si, si 0x12c2e: xor di, di 0x12c30: xor bp, bp 0x12c32: ret
2018-12-25T11:47:24.205443646Z	43	PC: 12c21 \| Set date

{"DateBased":true,"Day":3,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":2849,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:47:24.283839901Z	26	PC: 12a4c \| Set disk transfer address
2018-12-25T11:47:24.290596703Z	53	PC: 12a5a \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:47:24.292115241Z	37	PC: 12a70 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:47:24.293745739Z	25	PC: 12a96 \| Get default drive
2018-12-25T11:47:24.306351065Z	78	PC: 12ae7 \| Find first file
2018-12-25T11:47:24.312390299Z	67	PC: 12b36 \| Get or set file attributes
2018-12-25T11:47:24.318035501Z	67	PC: 12b44 \| Get or set file attributes
2018-12-25T11:47:24.342517002Z	61	PC: 12b4c \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:47:24.350432622Z	63	PC: 12b68 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:47:24.356985296Z	66	PC: 12b92 \| Move file pointer
2018-12-25T11:47:24.359131664Z	63	PC: 12ba4 \| Read file or device (Read 2 bytes on handle 5)
2018-12-25T11:47:24.363013865Z	64	PC: 12bc2 \| Write file or device (Write 600 bytes on handle 5)
2018-12-25T11:47:24.371264422Z	66	PC: 12bd1 \| Move file pointer
2018-12-25T11:47:24.372740067Z	64	PC: 12be3 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:47:24.380591293Z	87	PC: 12c49 \| Get or set file date and time
2018-12-25T11:47:24.38213542Z	62	PC: 12c53 \| Close file
2018-12-25T11:47:24.390307106Z	67	PC: 12c61 \| Get or set file attributes
2018-12-25T11:47:24.401169265Z	26	PC: 12bf3 \| Set disk transfer address
2018-12-25T11:47:24.402317375Z	37	PC: 12c04 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:47:24.403742783Z	42	PC: 12c09 \| Get date 0x12c09: cmp al, 4 0x12c0b: jne 0x12c1a 0x12c0d: push es 0x12c0e: xor ax, ax 0x12c10: mov es, ax 0x12c12: mov word ptr es:[0x44e], 0xfa0 0x12c19: pop es 0x12c1a: add cx, 0x64 0x12c1d: mov ah, 0x2b 0x12c1f: int 0x21 0x12c21: pop ax 0x12c22: mov bx, 0x100 0x12c25: push bx 0x12c26: xor bx, bx 0x12c28: xor dx, dx 0x12c2a: xor cx, cx 0x12c2c: xor si, si 0x12c2e: xor di, di 0x12c30: xor bp, bp 0x12c32: ret
2018-12-25T11:47:24.406768123Z	43	PC: 12c21 \| Set date