Sample viewer

vx.netlux.org/Virus.DOS.Qumak.1161.b

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:19:16.830501087Z	48	PC: 13e7b \| Get DOS version
2018-12-17T22:19:16.832511261Z	47	PC: 13e92 \| Get disk transfer address
2018-12-17T22:19:16.83359657Z	26	PC: 13ea1 \| Set disk transfer address
2018-12-17T22:19:16.834655097Z	78	PC: 13f3e \| Find first file
2018-12-17T22:19:16.838816522Z	61	PC: 13fa4 \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:19:16.843448384Z	63	PC: 13fb7 \| Read file or device (Read 7 bytes on handle 5)
2018-12-17T22:19:16.850231791Z	62	PC: 13fbb \| Close file
2018-12-17T22:19:16.852308328Z	67	PC: 13ffe \| Get or set file attributes
2018-12-17T22:19:16.862380501Z	67	PC: 1400e \| Get or set file attributes
2018-12-17T22:19:16.887706947Z	61	PC: 14018 \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:19:16.901568967Z	87	PC: 14024 \| Get or set file date and time
2018-12-17T22:19:16.904948765Z	44	PC: 1402e \| Get time 0x1402e: and dh, 7 0x14031: je 0x14036 0x14033: jmp 0x140bf 0x14036: push bx 0x14037: push si 0x14038: mov ah, 8 0x1403a: mov dl, 0x80 0x1403c: int 0x13 0x1403e: cmp dl, 0 0x14041: je 0x140af 0x14043: mov al, cl 0x14045: and al, 0x3f 0x14047: mov byte ptr [si + 0xf4], al 0x1404b: mov al, ch 0x1404d: mov ah, cl 0x1404f: and ah, 0xc0 0x14052: mov cl, 6 0x14054: shr ah, cl 0x14056: mov word ptr [si + 0xf1], ax 0x1405a: mov byte ptr [si + 0xf3], dh
2018-12-17T22:19:16.908386227Z	44	PC: 14062 \| Get time 0x14062: shr dl, 1 0x14064: shr dl, 1 0x14066: and dl, 7 0x14069: cmp dl, byte ptr [si + 0xf3] 0x1406d: ja 0x1405e 0x1406f: mov byte ptr [si + 0xf7], dl 0x14073: push ds 0x14074: mov ax, 0 0x14077: mov ds, ax 0x14079: mov bx, 0x46c 0x1407c: mov ax, word ptr [bx] 0x1407e: mov dx, word ptr [bx + 2] 0x14081: pop ds 0x14082: div word ptr [si + 0xf1] 0x14086: cmp dx, word ptr [si + 0xf1] 0x1408a: jbe 0x14090 0x1408c: shr dx, 1 0x1408e: jmp 0x14086 0x14090: mov word ptr [si + 0xf5], dx 0x14094: mov ax, dx
2018-12-17T22:19:17.577102247Z	87	PC: 14181 \| Get or set file date and time
2018-12-17T22:19:17.580658011Z	62	PC: 14185 \| Close file
2018-12-17T22:19:17.589453126Z	67	PC: 14194 \| Get or set file attributes
2018-12-17T22:19:17.60094634Z	26	PC: 1419e \| Set disk transfer address
2018-12-17T22:19:17.603252109Z	9	PC: 12a85 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-17T22:19:17.610715565Z	0	PC: 12a89 \| Program terminate

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":7,"TimeBased":true,"OriginalID":3311,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:48:47.274592633Z	48	PC: 13e7b \| Get DOS version
2018-12-25T11:48:47.276111002Z	47	PC: 13e92 \| Get disk transfer address
2018-12-25T11:48:47.277002529Z	26	PC: 13ea1 \| Set disk transfer address
2018-12-25T11:48:47.277968886Z	78	PC: 13f3e \| Find first file
2018-12-25T11:48:47.284118397Z	61	PC: 13fa4 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:48:47.29038873Z	63	PC: 13fb7 \| Read file or device (Read 7 bytes on handle 5)
2018-12-25T11:48:47.296329219Z	62	PC: 13fbb \| Close file
2018-12-25T11:48:47.298500837Z	67	PC: 13ffe \| Get or set file attributes
2018-12-25T11:48:47.304076751Z	67	PC: 1400e \| Get or set file attributes
2018-12-25T11:48:48.360822583Z	61	PC: 14018 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:48:48.373758674Z	87	PC: 14024 \| Get or set file date and time
2018-12-25T11:48:48.375925539Z	44	PC: 1402e \| Get time 0x1402e: and dh, 7 0x14031: je 0x14036 0x14033: jmp 0x140bf 0x14036: push bx 0x14037: push si 0x14038: mov ah, 8 0x1403a: mov dl, 0x80 0x1403c: int 0x13 0x1403e: cmp dl, 0 0x14041: je 0x140af 0x14043: mov al, cl 0x14045: and al, 0x3f 0x14047: mov byte ptr [si + 0xf4], al 0x1404b: mov al, ch 0x1404d: mov ah, cl 0x1404f: and ah, 0xc0 0x14052: mov cl, 6 0x14054: shr ah, cl 0x14056: mov word ptr [si + 0xf1], ax 0x1405a: mov byte ptr [si + 0xf3], dh
2018-12-25T11:48:48.37844061Z	63	PC: 140cb \| Read file or device (Read 7 bytes on handle 5)
2018-12-25T11:48:48.386375306Z	66	PC: 140e3 \| Move file pointer
2018-12-25T11:48:48.388412146Z	44	PC: 1410f \| Get time 0x1410f: mov dl, cl 0x14111: add dl, dh 0x14113: add dl, 0x82 0x14116: mov byte ptr [si - 1], dl 0x14119: mov bx, si 0x1411b: mov cx, 0xf9 0x1411e: mov al, byte ptr [bx] 0x14120: xor al, dl 0x14122: mov byte ptr [bx], al 0x14124: inc bx 0x14125: loop 0x1411e 0x14127: pop ax 0x14128: pop bx 0x14129: pop cx 0x1412a: pop dx 0x1412b: int 0x21 0x1412d: push dx 0x1412e: push cx 0x1412f: push bx 0x14130: push ax
2018-12-25T11:48:48.391027813Z	64	PC: 1412d \| Write file or device (Write 1161 bytes on handle 5)
2018-12-25T11:48:48.39985778Z	66	PC: 1415a \| Move file pointer
2018-12-25T11:48:48.402864688Z	64	PC: 14168 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:48:48.409607584Z	64	PC: 14175 \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:48:48.412557266Z	87	PC: 14181 \| Get or set file date and time
2018-12-25T11:48:48.416283989Z	62	PC: 14185 \| Close file
2018-12-25T11:48:48.424356851Z	67	PC: 14194 \| Get or set file attributes
2018-12-25T11:48:48.434402995Z	26	PC: 1419e \| Set disk transfer address
2018-12-25T11:48:48.436582603Z	9	PC: 12a85 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T11:48:48.442294345Z	0	PC: 12a89 \| Program terminate

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":3311,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:48:47.723644165Z	48	PC: 13e7b \| Get DOS version
2018-12-25T11:48:47.725399291Z	47	PC: 13e92 \| Get disk transfer address
2018-12-25T11:48:47.726487435Z	26	PC: 13ea1 \| Set disk transfer address
2018-12-25T11:48:47.727570392Z	78	PC: 13f3e \| Find first file
2018-12-25T11:48:47.734181466Z	61	PC: 13fa4 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:48:47.740471646Z	63	PC: 13fb7 \| Read file or device (Read 7 bytes on handle 5)
2018-12-25T11:48:47.746772269Z	62	PC: 13fbb \| Close file
2018-12-25T11:48:47.748673658Z	67	PC: 13ffe \| Get or set file attributes
2018-12-25T11:48:47.75440625Z	67	PC: 1400e \| Get or set file attributes
2018-12-25T11:48:48.359837658Z	61	PC: 14018 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:48:48.36768076Z	87	PC: 14024 \| Get or set file date and time
2018-12-25T11:48:48.371956617Z	44	PC: 1402e \| Get time 0x1402e: and dh, 7 0x14031: je 0x14036 0x14033: jmp 0x140bf 0x14036: push bx 0x14037: push si 0x14038: mov ah, 8 0x1403a: mov dl, 0x80 0x1403c: int 0x13 0x1403e: cmp dl, 0 0x14041: je 0x140af 0x14043: mov al, cl 0x14045: and al, 0x3f 0x14047: mov byte ptr [si + 0xf4], al 0x1404b: mov al, ch 0x1404d: mov ah, cl 0x1404f: and ah, 0xc0 0x14052: mov cl, 6 0x14054: shr ah, cl 0x14056: mov word ptr [si + 0xf1], ax 0x1405a: mov byte ptr [si + 0xf3], dh
2018-12-25T11:48:48.374892404Z	63	PC: 140cb \| Read file or device (Read 7 bytes on handle 5)
2018-12-25T11:48:48.379285536Z	66	PC: 140e3 \| Move file pointer
2018-12-25T11:48:48.381988967Z	44	PC: 1410f \| Get time 0x1410f: mov dl, cl 0x14111: add dl, dh 0x14113: add dl, 0x82 0x14116: mov byte ptr [si - 1], dl 0x14119: mov bx, si 0x1411b: mov cx, 0xf9 0x1411e: mov al, byte ptr [bx] 0x14120: xor al, dl 0x14122: mov byte ptr [bx], al 0x14124: inc bx 0x14125: loop 0x1411e 0x14127: pop ax 0x14128: pop bx 0x14129: pop cx 0x1412a: pop dx 0x1412b: int 0x21 0x1412d: push dx 0x1412e: push cx 0x1412f: push bx 0x14130: push ax
2018-12-25T11:48:48.384905398Z	64	PC: 1412d \| Write file or device (Write 1161 bytes on handle 5)
2018-12-25T11:48:48.39414204Z	66	PC: 1415a \| Move file pointer
2018-12-25T11:48:48.396559819Z	64	PC: 14168 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:48:48.402868274Z	64	PC: 14175 \| Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:48:48.405191869Z	87	PC: 14181 \| Get or set file date and time
2018-12-25T11:48:48.407322672Z	62	PC: 14185 \| Close file
2018-12-25T11:48:48.417165895Z	67	PC: 14194 \| Get or set file attributes
2018-12-25T11:48:48.428595532Z	26	PC: 1419e \| Set disk transfer address
2018-12-25T11:48:48.435939776Z	9	PC: 12a85 \| Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T11:48:48.441503454Z	0	PC: 12a89 \| Program terminate