Sample viewer

vx.netlux.org/Trojan.DOS.Wini

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:19:05.584866292Z 48 PC: 12a4c | Get DOS version
2018-12-17T22:19:05.586672295Z 53 PC: 12b75 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:19:05.590139901Z 53 PC: 12b82 | Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:19:05.592496866Z 53 PC: 12b8f | Get interrupt vector (Interrupt = '5' AKA 'Printer output')
2018-12-17T22:19:05.594264271Z 53 PC: 12b9c | Get interrupt vector (Interrupt = '6' AKA 'Direct console I/O')
2018-12-17T22:19:05.597660007Z 37 PC: 12bb0 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:19:05.59978788Z 74 PC: 12af4 | Reallocate memory
2018-12-17T22:19:05.602557715Z 74 PC: 138d8 | Reallocate memory
2018-12-17T22:19:05.609694024Z 68 PC: 14179 | I/O control for devices (Set for = '')
2018-12-17T22:19:05.617098413Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.62056002Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.623401129Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.626436169Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.628682862Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.630921774Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.638189906Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.640310824Z 64 PC: 146dc | Write file or device (Write 1 bytes on handle 1)
2018-12-17T22:19:05.643838866Z 61 PC: 13d7e | Open file (Filename = 'c:\windows\win32.ini')
2018-12-17T22:19:05.658461889Z 42 PC: 16040 | Get date 0x16040: les bx, ptr [bp + 6]
0x16043: mov word ptr es:[bx], cx
0x16046: les bx, ptr [bp + 6]
0x16049: mov word ptr es:[bx + 2], dx
0x1604d: pop bp
0x1604e: retf
0x1604f: push bp
0x16050: mov bp, sp
0x16052: mov ah, 0x2c
0x16054: int 0x21
0x16056: les bx, ptr [bp + 6]
0x16059: mov word ptr es:[bx], cx
0x1605c: les bx, ptr [bp + 6]
0x1605f: mov word ptr es:[bx + 2], dx
0x16063: pop bp
0x16064: retf
0x16065: push bp
0x16066: mov bp, sp
0x16068: sub sp, 4
0x1606b: push si
2018-12-17T22:19:05.660390867Z 44 PC: 16056 | Get time 0x16056: les bx, ptr [bp + 6]
0x16059: mov word ptr es:[bx], cx
0x1605c: les bx, ptr [bp + 6]
0x1605f: mov word ptr es:[bx + 2], dx
0x16063: pop bp
0x16064: retf
0x16065: push bp
0x16066: mov bp, sp
0x16068: sub sp, 4
0x1606b: push si
0x1606c: push di
0x1606d: les di, ptr [bp + 6]
0x16070: mov ax, es
0x16072: or ax, di
0x16074: je 0x16096
0x16076: mov al, 0
0x16078: mov ah, byte ptr es:[di]
0x1607b: mov cx, 0xffff
0x1607e: cld
0x1607f: repne scasb al, byte ptr es:[di]
2018-12-17T22:19:05.662740846Z 42 PC: 16040 | Get date 0x16040: les bx, ptr [bp + 6]
0x16043: mov word ptr es:[bx], cx
0x16046: les bx, ptr [bp + 6]
0x16049: mov word ptr es:[bx + 2], dx
0x1604d: pop bp
0x1604e: retf
0x1604f: push bp
0x16050: mov bp, sp
0x16052: mov ah, 0x2c
0x16054: int 0x21
0x16056: les bx, ptr [bp + 6]
0x16059: mov word ptr es:[bx], cx
0x1605c: les bx, ptr [bp + 6]
0x1605f: mov word ptr es:[bx + 2], dx
0x16063: pop bp
0x16064: retf
0x16065: push bp
0x16066: mov bp, sp
0x16068: sub sp, 4
0x1606b: push si
2018-12-17T22:19:05.665117695Z 42 PC: 16040 | Get date 0x16040: les bx, ptr [bp + 6]
0x16043: mov word ptr es:[bx], cx
0x16046: les bx, ptr [bp + 6]
0x16049: mov word ptr es:[bx + 2], dx
0x1604d: pop bp
0x1604e: retf
0x1604f: push bp
0x16050: mov bp, sp
0x16052: mov ah, 0x2c
0x16054: int 0x21
0x16056: les bx, ptr [bp + 6]
0x16059: mov word ptr es:[bx], cx
0x1605c: les bx, ptr [bp + 6]
0x1605f: mov word ptr es:[bx + 2], dx
0x16063: pop bp
0x16064: retf
0x16065: push bp
0x16066: mov bp, sp
0x16068: sub sp, 4
0x1606b: push si
2018-12-17T22:19:05.666941188Z 43 PC: 165f4 | Set date
2018-12-17T22:19:05.669670461Z 44 PC: 16056 | Get time 0x16056: les bx, ptr [bp + 6]
0x16059: mov word ptr es:[bx], cx
0x1605c: les bx, ptr [bp + 6]
0x1605f: mov word ptr es:[bx + 2], dx
0x16063: pop bp
0x16064: retf
0x16065: push bp
0x16066: mov bp, sp
0x16068: sub sp, 4
0x1606b: push si
0x1606c: push di
0x1606d: les di, ptr [bp + 6]
0x16070: mov ax, es
0x16072: or ax, di
0x16074: je 0x16096
0x16076: mov al, 0
0x16078: mov ah, byte ptr es:[di]
0x1607b: mov cx, 0xffff
0x1607e: cld
0x1607f: repne scasb al, byte ptr es:[di]
2018-12-17T22:19:05.686360009Z 44 PC: 16056 | Get time 0x16056: les bx, ptr [bp + 6]
0x16059: mov word ptr es:[bx], cx
0x1605c: les bx, ptr [bp + 6]
0x1605f: mov word ptr es:[bx + 2], dx
0x16063: pop bp
0x16064: retf
0x16065: push bp
0x16066: mov bp, sp
0x16068: sub sp, 4
0x1606b: push si
0x1606c: push di
0x1606d: les di, ptr [bp + 6]
0x16070: mov ax, es
0x16072: or ax, di
0x16074: je 0x16096
0x16076: mov al, 0
0x16078: mov ah, byte ptr es:[di]
0x1607b: mov cx, 0xffff
0x1607e: cld
0x1607f: repne scasb al, byte ptr es:[di]
2018-12-17T22:19:05.689671338Z 45 PC: 16609 | Set time
2018-12-17T22:19:05.695943669Z 67 PC: 14a2e | Get or set file attributes
2018-12-17T22:19:05.70565614Z 61 PC: 13d7e | Open file (Filename = 'c:\autoexec.bat')
2018-12-17T22:19:05.713480564Z 68 PC: 14155 | I/O control for devices (Set for = 'Divide error Abnormal program termination W�')
2018-12-17T22:19:05.715198712Z 68 PC: 14179 | I/O control for devices
2018-12-17T22:19:05.717435455Z 74 PC: 138d8 | Reallocate memory
2018-12-17T22:19:05.721956549Z 66 PC: 14755 | Move file pointer
2018-12-17T22:19:05.723962153Z 64 PC: 146dc | Write file or device (Write 25 bytes on handle 5)
2018-12-17T22:19:05.728063103Z 74 PC: 138d8 | Reallocate memory
2018-12-17T22:19:05.730834292Z 62 PC: 143d6 | Close file
2018-12-17T22:19:06.074632276Z 67 PC: 14a2e | Get or set file attributes
2018-12-17T22:19:06.081998879Z 61 PC: 13d7e | Open file (Filename = 'c:\config.sys')
2018-12-17T22:19:06.09121226Z 68 PC: 14155 | I/O control for devices (Set for = 'Divide error Abnormal program termination W�')
2018-12-17T22:19:06.093764156Z 68 PC: 14179 | I/O control for devices
2018-12-17T22:19:06.096808369Z 74 PC: 138d8 | Reallocate memory
2018-12-17T22:19:06.101741446Z 66 PC: 14755 | Move file pointer
2018-12-17T22:19:06.103684016Z 64 PC: 146dc | Write file or device (Write 13 bytes on handle 5)
2018-12-17T22:19:06.111055526Z 74 PC: 138d8 | Reallocate memory
2018-12-17T22:19:06.114073998Z 62 PC: 143d6 | Close file
2018-12-17T22:19:06.123908965Z 55 PC: 160dd | Get or set switch character
2018-12-17T22:19:06.127553388Z 41 PC: 13018 | Parse filename
2018-12-17T22:19:06.12971584Z 41 PC: 13026 | Parse filename
2018-12-17T22:19:06.131585223Z 75 PC: 13069 | Execute program
2018-12-17T22:19:06.156523175Z 80 PC: 1a029 | Set current PSP
2018-12-17T22:19:06.157517036Z 48 PC: 1a02e | Get DOS version
2018-12-17T22:19:06.159390075Z 99 PC: 20810 | Get DBCS lead byte table pointer
2018-12-17T22:19:06.162252963Z 101 PC: 1a0b4 | Get extended country info
2018-12-17T22:19:06.164119158Z 99 PC: 1a0ba | Get DBCS lead byte table pointer
2018-12-17T22:19:06.166420062Z 74 PC: 1a11c | Reallocate memory
2018-12-17T22:19:06.168052757Z 25 PC: 1a153 | Get default drive
2018-12-17T22:19:06.169492846Z 37 PC: 19c13 | Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T22:19:06.171438403Z 37 PC: 19c1a | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:19:06.173028751Z 37 PC: 19c21 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:19:06.17836977Z 74 PC: 18dbc | Reallocate memory
2018-12-17T22:19:06.181150074Z 72 PC: 18dfd | Allocate memory
2018-12-17T22:19:06.183489495Z 72 PC: 18e35 | Allocate memory
2018-12-17T22:19:06.18597029Z 72 PC: 18e3d | Allocate memory