Sample viewer

vx.netlux.org/Virus.DOS.Xandu.2385

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:21:21.624520337Z	48	PC: 12cc3 \| Get DOS version
2018-12-17T22:21:21.626297959Z	29	PC: 12cd2 \| Reserved
2018-12-17T22:21:21.632564476Z	88	PC: 12d90 \| case 0xGet or set allocation strateg:
2018-12-17T22:21:21.634941368Z	88	PC: 12d9e \| case 0xGet or set allocation strateg:
2018-12-17T22:21:21.636600492Z	74	PC: 12de8 \| Reallocate memory
2018-12-17T22:21:21.638159259Z	72	PC: 12df0 \| Allocate memory
2018-12-17T22:21:21.64145131Z	42	PC: 134f8 \| Get date 0x134f8: cmp dl, 0xf 0x134fb: jne 0x1352d 0x134fd: mov ax, 0x2c00 0x13500: int 0x21 0x13502: test cl, 1 0x13505: je 0x1352d 0x13507: test dh, 1 0x1350a: je 0x1352d 0x1350c: mov cx, 0x18 0x1350f: lea dx, word ptr [bp + 0x85b] 0x13513: mov ax, 0x900 0x13516: int 0x21 0x13518: loop 0x1350f 0x1351a: lea dx, word ptr [bp + 0x889] 0x1351e: mov ax, 0x900 0x13521: int 0x21 0x13523: mov ax, 0x600 0x13526: mov dx, 0xff 0x13529: int 0x21 0x1352b: je 0x13523
2018-12-17T22:21:21.644377962Z	76	PC: 12aa4 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3727,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:50:01.825056466Z	64	PC: 0 \| Write file or device (Write 2 bytes on handle 1)
2018-12-25T11:50:01.830762253Z	41	PC: 94fae \| Parse filename
2018-12-25T11:50:01.839202695Z	41	PC: 9502f \| Parse filename
2018-12-25T11:50:01.843275269Z	41	PC: 9504c \| Parse filename
2018-12-25T11:50:01.846268886Z	26	PC: 984f7 \| Set disk transfer address
2018-12-25T11:50:01.84989633Z	71	PC: 986f3 \| Get current directory
2018-12-25T11:50:01.853766852Z	78	PC: 986fe \| Find first file
2018-12-25T11:50:01.876902028Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T11:50:01.880485432Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T11:50:01.890510456Z	64	PC: 9a848 \| Write file or device (Write 26 bytes on handle 2)
2018-12-25T11:50:01.895267803Z	37	PC: 123c4 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T11:50:01.89762149Z	37	PC: 123cb \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T11:50:01.902721354Z	37	PC: 123d2 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:50:01.904126976Z	62	PC: 122ab \| Close file
2018-12-25T11:50:01.9068048Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.908698657Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.910397578Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.912088438Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.923474524Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.926265466Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.928329988Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.931921252Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.932993168Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.934509784Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.936742898Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.937750411Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.938760762Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.940219685Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:50:01.941592891Z	99	PC: 9a5d7 \| Get DBCS lead byte table pointer
2018-12-25T11:50:01.942739851Z	56	PC: 94df9 \| Get or set country info
2018-12-25T11:50:01.950590007Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:50:01.953206648Z	25	PC: 94e62 \| Get default drive
2018-12-25T11:50:01.954325157Z	71	PC: 970dd \| Get current directory
2018-12-25T11:50:01.960475908Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:50:01.962732473Z	2	PC: 970b2 \| Character output (Char = '3e')
2018-12-25T11:50:01.964316348Z	93	PC: 94f20 \| File sharing functions
2018-12-25T11:50:01.966421149Z	93	PC: 94f27 \| File sharing functions
2018-12-25T11:50:01.968779627Z	10	PC: 94f39 \| Buffered keyboard input
2018-12-25T11:50:16.871502092Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T11:50:18.226477644Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T11:50:18.328907298Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:50:18.336019416Z	41	PC: 94fae \| Parse filename (See above)
2018-12-25T11:50:18.338118826Z	41	PC: 9502f \| Parse filename (See above)
2018-12-25T11:50:18.339879826Z	41	PC: 9504c \| Parse filename (See above)
2018-12-25T11:50:18.344207555Z	26	PC: 984f7 \| Set disk transfer address (See above)
2018-12-25T11:50:18.346576765Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T11:50:18.354445441Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T11:50:18.365282671Z	71	PC: 9856c \| Get current directory
2018-12-25T11:50:18.368974409Z	73	PC: 97c09 \| Release memory
2018-12-25T11:50:18.370544346Z	75	PC: 11821 \| Execute program
2018-12-25T11:50:18.387363071Z	9	PC: 12a47 \| Display string (String= 'Hello, World! ')
2018-12-25T11:50:18.391647853Z	76	PC: 12a4b \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":15,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3727,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:50:01.881930706Z	47	PC: 12ba7 \| Get disk transfer address
2018-12-25T11:50:01.884202078Z	26	PC: 12bba \| Set disk transfer address
2018-12-25T11:50:01.885770531Z	78	PC: 12c46 \| Find first file
2018-12-25T11:50:01.89218863Z	67	PC: 12c84 \| Get or set file attributes
2018-12-25T11:50:01.898797793Z	67	PC: 12c96 \| Get or set file attributes
2018-12-25T11:50:02.898860724Z	61	PC: 12ca1 \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:50:02.903064533Z	87	PC: 12cad \| Get or set file date and time
2018-12-25T11:50:02.904667692Z	63	PC: 12cc2 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:50:02.939172726Z	66	PC: 12cd4 \| Move file pointer
2018-12-25T11:50:02.940446913Z	64	PC: 12cf8 \| Write file or device (Write 2437 bytes on handle 5)
2018-12-25T11:50:02.969569593Z	66	PC: 12d0a \| Move file pointer
2018-12-25T11:50:02.97159285Z	64	PC: 12d19 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:50:02.977884129Z	87	PC: 12d2c \| Get or set file date and time
2018-12-25T11:50:02.979838558Z	62	PC: 12d30 \| Close file
2018-12-25T11:50:03.020284517Z	67	PC: 12d3f \| Get or set file attributes
2018-12-25T11:50:03.061194442Z	42	PC: 12d44 \| Get date 0x12d44: cmp cx, 0x7c7 0x12d48: jne 0x12d4f 0x12d4a: cmp dh, 1 0x12d4d: je 0x12d61 0x12d4f: cmp al, 0 0x12d51: jne 0x12d61 0x12d53: mov dx, si 0x12d55: mov ah, 9 0x12d57: add dx, 0x16 0x12d5a: nop 0x12d5b: int 0x21 0x12d5d: mov ah, 8 0x12d5f: int 0x21 0x12d61: mov dx, word ptr [si] 0x12d63: nop 0x12d64: nop 0x12d65: mov ds, word ptr [si + 2] 0x12d68: nop 0x12d69: mov ah, 0x1a 0x12d6b: int 0x21
2018-12-25T11:50:03.064749954Z	26	PC: 12d6d \| Set disk transfer address
2018-12-25T11:50:03.066085474Z	9	PC: 12a82 \| Display string (String= 'Goat file (COM). Size=0000014Dh/0000000333d bytes. ')
2018-12-25T11:50:03.071768839Z	76	PC: 12a86 \| Terminate with return code (Return code = '36')