Sample viewer

vx.netlux.org/Virus.DOS.Party.557.a

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:21:25.574622755Z	71	PC: 12a76 \| Get current directory
2018-12-17T22:21:25.579589213Z	53	PC: 12bba \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:21:25.580929537Z	53	PC: 12a88 \| Get interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-17T22:21:25.582243949Z	37	PC: 12bca \| Set interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-17T22:21:25.592684522Z	26	PC: 12aa2 \| Set disk transfer address
2018-12-17T22:21:25.593880451Z	78	PC: 12bca \| Find first file
2018-12-17T22:21:25.599941913Z	61	PC: 12bca \| Open file (Filename = '')
2018-12-17T22:21:25.612049608Z	63	PC: 12bca \| Read file or device (Read 4 bytes on handle 5)
2018-12-17T22:21:25.618997802Z	64	PC: 12bca \| Write file or device (Write 557 bytes on handle 5)
2018-12-17T22:21:25.632726212Z	64	PC: 12bca \| Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:21:25.645664662Z	62	PC: 12bca \| Close file
2018-12-17T22:21:25.655736823Z	59	PC: 12b19 \| Change current directory
2018-12-17T22:21:25.657933591Z	26	PC: 12b20 \| Set disk transfer address
2018-12-17T22:21:25.659901513Z	37	PC: 12bca \| Set interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-17T22:21:25.662141158Z	42	PC: 12b32 \| Get date 0x12b32: cmp dx, 0x701 0x12b36: jne 0x12b40 0x12b38: mov ah, 9 0x12b3a: lea dx, word ptr [si + 0x2e8] 0x12b3e: int 0x21 0x12b40: push 0x100 0x12b43: ret 0x12b44: mov ax, word ptr es:[di + 0x11] 0x12b48: mov word ptr es:[di + 0x15], ax 0x12b4c: sub ax, 3 0x12b4f: mov word ptr [si + 0x2e5], ax 0x12b53: mov ah, 0x40 0x12b55: mov cx, 0x22d 0x12b58: lea dx, word ptr [si + 0x104] 0x12b5c: call 0x12bc3 0x12b5f: mov word ptr es:[di + 0x15], 0 0x12b65: mov ah, 0x40 0x12b67: mov cx, 4 0x12b6a: lea dx, word ptr [si + 0x2e4] 0x12b6e: call 0x12bc3

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3738,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:50:02.48405135Z	71	PC: 12a76 \| Get current directory
2018-12-25T11:50:02.487891289Z	53	PC: 12bba \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:50:02.489089168Z	53	PC: 12a88 \| Get interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-25T11:50:02.492182895Z	37	PC: 12bca \| Set interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-25T11:50:02.494290547Z	26	PC: 12aa2 \| Set disk transfer address
2018-12-25T11:50:02.495616707Z	78	PC: 12bca \| Find first file (See above)
2018-12-25T11:50:02.501704773Z	61	PC: 12bca \| Open file (See above)
2018-12-25T11:50:02.50920896Z	63	PC: 12bca \| Read file or device (See above)
2018-12-25T11:50:02.515568359Z	64	PC: 12bca \| Write file or device (See above)
2018-12-25T11:50:03.603952802Z	64	PC: 12bca \| Write file or device (See above)
2018-12-25T11:50:03.621666189Z	62	PC: 12bca \| Close file (See above)
2018-12-25T11:50:03.692515083Z	59	PC: 12b19 \| Change current directory
2018-12-25T11:50:03.694151303Z	26	PC: 12b20 \| Set disk transfer address
2018-12-25T11:50:03.695433908Z	37	PC: 12bca \| Set interrupt vector (See above)
2018-12-25T11:50:03.697041076Z	42	PC: 12b32 \| Get date 0x12b32: cmp dx, 0x701 0x12b36: jne 0x12b40 0x12b38: mov ah, 9 0x12b3a: lea dx, word ptr [si + 0x2e8] 0x12b3e: int 0x21 0x12b40: push 0x100 0x12b43: ret 0x12b44: mov ax, word ptr es:[di + 0x11] 0x12b48: mov word ptr es:[di + 0x15], ax 0x12b4c: sub ax, 3 0x12b4f: mov word ptr [si + 0x2e5], ax 0x12b53: mov ah, 0x40 0x12b55: mov cx, 0x22d 0x12b58: lea dx, word ptr [si + 0x104] 0x12b5c: call 0x12bc3 0x12b5f: mov word ptr es:[di + 0x15], 0 0x12b65: mov ah, 0x40 0x12b67: mov cx, 4 0x12b6a: lea dx, word ptr [si + 0x2e4] 0x12b6e: call 0x12bc3

{"DateBased":true,"Day":1,"Month":7,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3738,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:50:02.546073008Z	71	PC: 12a76 \| Get current directory
2018-12-25T11:50:02.550441903Z	53	PC: 12bba \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T11:50:02.552419207Z	53	PC: 12a88 \| Get interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-25T11:50:02.554354409Z	37	PC: 12bca \| Set interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-25T11:50:02.556703364Z	26	PC: 12aa2 \| Set disk transfer address
2018-12-25T11:50:02.559509178Z	78	PC: 12bca \| Find first file (See above)
2018-12-25T11:50:02.566576194Z	61	PC: 12bca \| Open file (See above)
2018-12-25T11:50:02.575384273Z	63	PC: 12bca \| Read file or device (See above)
2018-12-25T11:50:02.584501964Z	64	PC: 12bca \| Write file or device (See above)
2018-12-25T11:50:02.602313179Z	64	PC: 12bca \| Write file or device (See above)
2018-12-25T11:50:02.611880102Z	62	PC: 12bca \| Close file (See above)
2018-12-25T11:50:02.622138085Z	59	PC: 12b19 \| Change current directory
2018-12-25T11:50:02.625436043Z	26	PC: 12b20 \| Set disk transfer address
2018-12-25T11:50:02.62699223Z	37	PC: 12bca \| Set interrupt vector (See above)
2018-12-25T11:50:02.628949957Z	42	PC: 12b32 \| Get date 0x12b32: cmp dx, 0x701 0x12b36: jne 0x12b40 0x12b38: mov ah, 9 0x12b3a: lea dx, word ptr [si + 0x2e8] 0x12b3e: int 0x21 0x12b40: push 0x100 0x12b43: ret 0x12b44: mov ax, word ptr es:[di + 0x11] 0x12b48: mov word ptr es:[di + 0x15], ax 0x12b4c: sub ax, 3 0x12b4f: mov word ptr [si + 0x2e5], ax 0x12b53: mov ah, 0x40 0x12b55: mov cx, 0x22d 0x12b58: lea dx, word ptr [si + 0x104] 0x12b5c: call 0x12bc3 0x12b5f: mov word ptr es:[di + 0x15], 0 0x12b65: mov ah, 0x40 0x12b67: mov cx, 4 0x12b6a: lea dx, word ptr [si + 0x2e4] 0x12b6e: call 0x12bc3
2018-12-25T11:50:02.631995122Z	9	PC: 12b40 \| Display string (String= 'This is Weeding Party 1.0 virus by Dark Judge in Tainan, Taiwan ')