Sample viewer

vx.netlux.org/Virus.DOS.Holms.6161

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:18:43.266816296Z	48	PC: 13ee3 \| Get DOS version
2018-12-17T22:18:43.269818714Z	42	PC: 14230 \| Get date 0x14230: cmp cx, 0x7bc 0x14234: jne 0x14243 0x14236: cmp word ptr cs:[0x56a], 0xf9ea 0x1423d: jne 0x14243 0x1423f: clc 0x14240: jmp 0x14258 0x14242: nop 0x14243: call 0x240f6 0x14246: jb 0x14253 0x14248: cmp byte ptr cs:[0x56c], 0 0x1424e: je 0x14253 0x14250: call 0x1426d 0x14253: pushf 0x14254: call 0x1426d 0x14257: popf 0x14258: pushf 0x14259: cmp byte ptr cs:[0x15a], 0 0x1425f: je 0x14268 0x14261: mov byte ptr cs:[0x56c], 1 0x14267: nop
2018-12-17T22:18:43.272001971Z	42	PC: 140fd \| Get date 0x140fd: mov ax, word ptr cs:[0x1c5] 0x14101: or al, byte ptr cs:[0x1c4] 0x14106: or al, byte ptr cs:[0x1c3] 0x1410b: or al, ah 0x1410d: je 0x14143 0x1410f: cmp cx, word ptr cs:[0x1c9] 0x14114: ja 0x14128 0x14116: jb 0x14143 0x14118: cmp dh, byte ptr cs:[0x1c8] 0x1411d: ja 0x14128 0x1411f: jb 0x14143 0x14121: cmp dl, byte ptr cs:[0x1c7] 0x14126: jb 0x14143 0x14128: cmp cx, word ptr cs:[0x1c5] 0x1412d: ja 0x14143 0x1412f: jb 0x14141 0x14131: cmp dh, byte ptr cs:[0x1c4] 0x14136: ja 0x14143 0x14138: jb 0x14141 0x1413a: cmp dl, byte ptr cs:[0x1c3]
2018-12-17T22:18:43.274389991Z	42	PC: 140b0 \| Get date 0x140b0: mov al, dl 0x140b2: xor ah, ah 0x140b4: mov byte ptr cs:[0x1c7], al 0x140b8: mov byte ptr cs:[0x1c8], dh 0x140bd: mov word ptr cs:[0x1c9], cx 0x140c2: add ax, word ptr cs:[0x163] 0x140c7: push word ptr cs:[0x16f] 0x140cc: pop word ptr cs:[0x163] 0x140d1: cmp ax, 0x1c 0x140d4: jbe 0x140e6 0x140d6: sub ax, 0x1c 0x140d9: inc dh 0x140db: cmp dh, 0xc 0x140de: jbe 0x140d1 0x140e0: sub dh, 0xc 0x140e3: inc cx 0x140e4: jmp 0x140d1 0x140e6: mov byte ptr cs:[0x1c3], al 0x140ea: mov byte ptr cs:[0x1c4], dh 0x140ef: mov word ptr cs:[0x1c5], cx
2018-12-17T22:18:43.279243516Z	72	PC: 13f5e \| Allocate memory
2018-12-17T22:18:43.281032866Z	74	PC: 13f78 \| Reallocate memory
2018-12-17T22:18:43.283176282Z	72	PC: 13fa7 \| Allocate memory
2018-12-17T22:18:43.285816191Z	52	PC: 14026 \| Get InDOS flag pointer
2018-12-17T22:18:43.287121131Z	53	PC: 1405e \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-17T22:18:43.288319479Z	37	PC: 1406e \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-17T22:18:43.289842419Z	53	PC: 14073 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:18:43.291286348Z	37	PC: 14083 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:18:43.29272758Z	53	PC: 14088 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:18:43.294433405Z	37	PC: 14098 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:18:43.301933255Z	53	PC: 9f7fe \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:18:43.30362309Z	37	PC: 9f826 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3199,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:48:41.974374671Z	48	PC: 13ee3 \| Get DOS version
2018-12-25T11:48:41.976547745Z	42	PC: 14230 \| Get date 0x14230: cmp cx, 0x7bc 0x14234: jne 0x14243 0x14236: cmp word ptr cs:[0x56a], 0xf9ea 0x1423d: jne 0x14243 0x1423f: clc 0x14240: jmp 0x14258 0x14242: nop 0x14243: call 0x240f6 0x14246: jb 0x14253 0x14248: cmp byte ptr cs:[0x56c], 0 0x1424e: je 0x14253 0x14250: call 0x1426d 0x14253: pushf 0x14254: call 0x1426d 0x14257: popf 0x14258: pushf 0x14259: cmp byte ptr cs:[0x15a], 0 0x1425f: je 0x14268 0x14261: mov byte ptr cs:[0x56c], 1 0x14267: nop
2018-12-25T11:48:41.979414903Z	42	PC: 140fd \| Get date 0x140fd: mov ax, word ptr cs:[0x1c5] 0x14101: or al, byte ptr cs:[0x1c4] 0x14106: or al, byte ptr cs:[0x1c3] 0x1410b: or al, ah 0x1410d: je 0x14143 0x1410f: cmp cx, word ptr cs:[0x1c9] 0x14114: ja 0x14128 0x14116: jb 0x14143 0x14118: cmp dh, byte ptr cs:[0x1c8] 0x1411d: ja 0x14128 0x1411f: jb 0x14143 0x14121: cmp dl, byte ptr cs:[0x1c7] 0x14126: jb 0x14143 0x14128: cmp cx, word ptr cs:[0x1c5] 0x1412d: ja 0x14143 0x1412f: jb 0x14141 0x14131: cmp dh, byte ptr cs:[0x1c4] 0x14136: ja 0x14143 0x14138: jb 0x14141 0x1413a: cmp dl, byte ptr cs:[0x1c3]
2018-12-25T11:48:41.982358782Z	42	PC: 140b0 \| Get date 0x140b0: mov al, dl 0x140b2: xor ah, ah 0x140b4: mov byte ptr cs:[0x1c7], al 0x140b8: mov byte ptr cs:[0x1c8], dh 0x140bd: mov word ptr cs:[0x1c9], cx 0x140c2: add ax, word ptr cs:[0x163] 0x140c7: push word ptr cs:[0x16f] 0x140cc: pop word ptr cs:[0x163] 0x140d1: cmp ax, 0x1c 0x140d4: jbe 0x140e6 0x140d6: sub ax, 0x1c 0x140d9: inc dh 0x140db: cmp dh, 0xc 0x140de: jbe 0x140d1 0x140e0: sub dh, 0xc 0x140e3: inc cx 0x140e4: jmp 0x140d1 0x140e6: mov byte ptr cs:[0x1c3], al 0x140ea: mov byte ptr cs:[0x1c4], dh 0x140ef: mov word ptr cs:[0x1c5], cx
2018-12-25T11:48:41.985369409Z	72	PC: 13f5e \| Allocate memory
2018-12-25T11:48:41.987696246Z	74	PC: 13f78 \| Reallocate memory
2018-12-25T11:48:41.989461852Z	72	PC: 13fa7 \| Allocate memory
2018-12-25T11:48:41.991647463Z	52	PC: 14026 \| Get InDOS flag pointer
2018-12-25T11:48:41.99406536Z	53	PC: 1405e \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:48:41.995539562Z	37	PC: 1406e \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:48:41.996961608Z	53	PC: 14073 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:48:41.999104182Z	37	PC: 14083 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:48:42.000623325Z	53	PC: 14088 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:48:42.001914566Z	37	PC: 14098 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:48:42.00613235Z	53	PC: 9f7fe \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:48:42.007812675Z	37	PC: 9f826 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')

{"DateBased":true,"Day":1,"Month":1,"Year":1981,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3199,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:48:41.973910136Z	48	PC: 13ee3 \| Get DOS version
2018-12-25T11:48:41.976241562Z	42	PC: 14230 \| Get date 0x14230: cmp cx, 0x7bc 0x14234: jne 0x14243 0x14236: cmp word ptr cs:[0x56a], 0xf9ea 0x1423d: jne 0x14243 0x1423f: clc 0x14240: jmp 0x14258 0x14242: nop 0x14243: call 0x240f6 0x14246: jb 0x14253 0x14248: cmp byte ptr cs:[0x56c], 0 0x1424e: je 0x14253 0x14250: call 0x1426d 0x14253: pushf 0x14254: call 0x1426d 0x14257: popf 0x14258: pushf 0x14259: cmp byte ptr cs:[0x15a], 0 0x1425f: je 0x14268 0x14261: mov byte ptr cs:[0x56c], 1 0x14267: nop
2018-12-25T11:48:41.978664943Z	42	PC: 140fd \| Get date 0x140fd: mov ax, word ptr cs:[0x1c5] 0x14101: or al, byte ptr cs:[0x1c4] 0x14106: or al, byte ptr cs:[0x1c3] 0x1410b: or al, ah 0x1410d: je 0x14143 0x1410f: cmp cx, word ptr cs:[0x1c9] 0x14114: ja 0x14128 0x14116: jb 0x14143 0x14118: cmp dh, byte ptr cs:[0x1c8] 0x1411d: ja 0x14128 0x1411f: jb 0x14143 0x14121: cmp dl, byte ptr cs:[0x1c7] 0x14126: jb 0x14143 0x14128: cmp cx, word ptr cs:[0x1c5] 0x1412d: ja 0x14143 0x1412f: jb 0x14141 0x14131: cmp dh, byte ptr cs:[0x1c4] 0x14136: ja 0x14143 0x14138: jb 0x14141 0x1413a: cmp dl, byte ptr cs:[0x1c3]
2018-12-25T11:48:41.981156977Z	42	PC: 140b0 \| Get date 0x140b0: mov al, dl 0x140b2: xor ah, ah 0x140b4: mov byte ptr cs:[0x1c7], al 0x140b8: mov byte ptr cs:[0x1c8], dh 0x140bd: mov word ptr cs:[0x1c9], cx 0x140c2: add ax, word ptr cs:[0x163] 0x140c7: push word ptr cs:[0x16f] 0x140cc: pop word ptr cs:[0x163] 0x140d1: cmp ax, 0x1c 0x140d4: jbe 0x140e6 0x140d6: sub ax, 0x1c 0x140d9: inc dh 0x140db: cmp dh, 0xc 0x140de: jbe 0x140d1 0x140e0: sub dh, 0xc 0x140e3: inc cx 0x140e4: jmp 0x140d1 0x140e6: mov byte ptr cs:[0x1c3], al 0x140ea: mov byte ptr cs:[0x1c4], dh 0x140ef: mov word ptr cs:[0x1c5], cx
2018-12-25T11:48:41.984098826Z	72	PC: 13f5e \| Allocate memory
2018-12-25T11:48:41.985842796Z	74	PC: 13f78 \| Reallocate memory
2018-12-25T11:48:41.987303217Z	72	PC: 13fa7 \| Allocate memory
2018-12-25T11:48:41.989115544Z	52	PC: 14026 \| Get InDOS flag pointer
2018-12-25T11:48:41.992205078Z	53	PC: 1405e \| Get interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:48:41.993379604Z	37	PC: 1406e \| Set interrupt vector (Interrupt = '40' AKA 'Random block write')
2018-12-25T11:48:41.994604256Z	53	PC: 14073 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:48:41.996704501Z	37	PC: 14083 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:48:41.997906074Z	53	PC: 14088 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:48:41.999241982Z	37	PC: 14098 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-25T11:48:42.001215837Z	53	PC: 9f7fe \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T11:48:42.002502666Z	37	PC: 9f826 \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')