Sample viewer

vx.netlux.org/Virus.DOS.Sonik.854

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:22:45.457215324Z	42	PC: 12c6a \| Get date 0x12c6a: cmp dx, 0xb0b 0x12c6e: je 0x12c7a 0x12c70: cmp byte ptr [2], 0xae 0x12c75: jge 0x12c7a 0x12c77: jmp 0x12e11 0x12c7a: push ds 0x12c7b: mov ds, word ptr [0x388] 0x12c7f: xor si, si 0x12c81: mov ax, word ptr [si + 0x2c] 0x12c84: mov ds, ax 0x12c86: pop es 0x12c87: mov di, 0x4ce 0x12c8a: lodsb al, byte ptr [si] 0x12c8b: cmp al, 0 0x12c8d: jne 0x12c8a 0x12c8f: lodsb al, byte ptr [si] 0x12c90: cmp al, 0 0x12c92: jne 0x12c8a 0x12c94: add si, 2 0x12c97: lodsb al, byte ptr [si]
2018-12-17T22:22:45.460858182Z	53	PC: 12e17 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:22:45.462705421Z	37	PC: 12e27 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:22:45.464840424Z	47	PC: 12e2b \| Get disk transfer address
2018-12-17T22:22:45.465962745Z	71	PC: 12e3f \| Get current directory
2018-12-17T22:22:45.468497851Z	26	PC: 12ceb \| Set disk transfer address
2018-12-17T22:22:45.469664564Z	78	PC: 12cf5 \| Find first file
2018-12-17T22:22:45.473937777Z	67	PC: 12cbe \| Get or set file attributes
2018-12-17T22:22:45.495090703Z	61	PC: 12cc3 \| Open file (Filename = 'TEST.EXE')
2018-12-17T22:22:45.503068772Z	63	PC: 12d45 \| Read file or device (Read 28 bytes on handle 5)
2018-12-17T22:22:45.506140563Z	66	PC: 12db9 \| Move file pointer
2018-12-17T22:22:45.508570943Z	64	PC: 12dc3 \| Write file or device (Write 854 bytes on handle 5)
2018-12-17T22:22:45.519269504Z	66	PC: 12de1 \| Move file pointer
2018-12-17T22:22:45.521202172Z	64	PC: 12deb \| Write file or device (Write 28 bytes on handle 5)
2018-12-17T22:22:45.526371488Z	87	PC: 12cd3 \| Get or set file date and time
2018-12-17T22:22:45.529442625Z	62	PC: 12cd7 \| Close file
2018-12-17T22:22:45.538707258Z	67	PC: 12ce3 \| Get or set file attributes
2018-12-17T22:22:45.544879384Z	79	PC: 12e03 \| Find next file
2018-12-17T22:22:45.547922568Z	26	PC: 12e49 \| Set disk transfer address
2018-12-17T22:22:45.554067622Z	78	PC: 12e53 \| Find first file
2018-12-17T22:22:45.560465548Z	59	PC: 12e8b \| Change current directory
2018-12-17T22:22:45.570178561Z	37	PC: 12ea7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:22:45.571355794Z	26	PC: 12eb5 \| Set disk transfer address
2018-12-17T22:22:45.572492202Z	9	PC: 12c22 \| Display string (Could not find end pointer)
2018-12-17T22:22:45.577107947Z	76	PC: 12c28 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3984,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:50:36.483566309Z	42	PC: 12c6a \| Get date 0x12c6a: cmp dx, 0xb0b 0x12c6e: je 0x12c7a 0x12c70: cmp byte ptr [2], 0xae 0x12c75: jge 0x12c7a 0x12c77: jmp 0x12e11 0x12c7a: push ds 0x12c7b: mov ds, word ptr [0x388] 0x12c7f: xor si, si 0x12c81: mov ax, word ptr [si + 0x2c] 0x12c84: mov ds, ax 0x12c86: pop es 0x12c87: mov di, 0x4ce 0x12c8a: lodsb al, byte ptr [si] 0x12c8b: cmp al, 0 0x12c8d: jne 0x12c8a 0x12c8f: lodsb al, byte ptr [si] 0x12c90: cmp al, 0 0x12c92: jne 0x12c8a 0x12c94: add si, 2 0x12c97: lodsb al, byte ptr [si]
2018-12-25T11:50:36.487342873Z	53	PC: 12e17 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:50:36.502261251Z	37	PC: 12e27 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:50:36.503629839Z	47	PC: 12e2b \| Get disk transfer address
2018-12-25T11:50:36.505126324Z	71	PC: 12e3f \| Get current directory
2018-12-25T11:50:36.510003772Z	26	PC: 12ceb \| Set disk transfer address
2018-12-25T11:50:36.511553133Z	78	PC: 12cf5 \| Find first file
2018-12-25T11:50:36.519035104Z	67	PC: 12cbe \| Get or set file attributes
2018-12-25T11:50:36.702759469Z	61	PC: 12cc3 \| Open file (Filename = 'TEST.EXE')
2018-12-25T11:50:36.711457452Z	63	PC: 12d45 \| Read file or device (Read 28 bytes on handle 5)
2018-12-25T11:50:36.715224522Z	66	PC: 12db9 \| Move file pointer
2018-12-25T11:50:36.722783202Z	64	PC: 12dc3 \| Write file or device (Write 854 bytes on handle 5)
2018-12-25T11:50:36.733476015Z	66	PC: 12de1 \| Move file pointer
2018-12-25T11:50:36.735871313Z	64	PC: 12deb \| Write file or device (Write 28 bytes on handle 5)
2018-12-25T11:50:36.739702856Z	87	PC: 12cd3 \| Get or set file date and time
2018-12-25T11:50:36.744965007Z	62	PC: 12cd7 \| Close file
2018-12-25T11:50:36.754092973Z	67	PC: 12ce3 \| Get or set file attributes
2018-12-25T11:50:36.760081806Z	79	PC: 12e03 \| Find next file
2018-12-25T11:50:36.763749675Z	26	PC: 12e49 \| Set disk transfer address
2018-12-25T11:50:36.765761647Z	78	PC: 12e53 \| Find first file
2018-12-25T11:50:36.772017011Z	59	PC: 12e8b \| Change current directory
2018-12-25T11:50:36.777578893Z	37	PC: 12ea7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:50:36.778862353Z	26	PC: 12eb5 \| Set disk transfer address
2018-12-25T11:50:36.780190073Z	9	PC: 12c22 \| Display string (Could not find end pointer)
2018-12-25T11:50:36.790084586Z	76	PC: 12c28 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":11,"Month":11,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":3984,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:50:36.774541556Z	42	PC: 12c6a \| Get date 0x12c6a: cmp dx, 0xb0b 0x12c6e: je 0x12c7a 0x12c70: cmp byte ptr [2], 0xae 0x12c75: jge 0x12c7a 0x12c77: jmp 0x12e11 0x12c7a: push ds 0x12c7b: mov ds, word ptr [0x388] 0x12c7f: xor si, si 0x12c81: mov ax, word ptr [si + 0x2c] 0x12c84: mov ds, ax 0x12c86: pop es 0x12c87: mov di, 0x4ce 0x12c8a: lodsb al, byte ptr [si] 0x12c8b: cmp al, 0 0x12c8d: jne 0x12c8a 0x12c8f: lodsb al, byte ptr [si] 0x12c90: cmp al, 0 0x12c92: jne 0x12c8a 0x12c94: add si, 2 0x12c97: lodsb al, byte ptr [si]
2018-12-25T11:50:36.777111937Z	67	PC: 12cbe \| Get or set file attributes
2018-12-25T11:50:36.969463317Z	61	PC: 12cc3 \| Open file (Filename = 'A:\TEST.EXE')
2018-12-25T11:50:36.984341814Z	64	PC: 12cae \| Write file or device (Write 160 bytes on handle 5)
2018-12-25T11:50:36.988031747Z	87	PC: 12cd3 \| Get or set file date and time
2018-12-25T11:50:36.989408363Z	62	PC: 12cd7 \| Close file
2018-12-25T11:50:36.996457581Z	67	PC: 12ce3 \| Get or set file attributes
2018-12-25T11:50:37.001227219Z	37	PC: 12ea7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:50:37.003062184Z	26	PC: 12eb5 \| Set disk transfer address
2018-12-25T11:50:37.004086581Z	9	PC: 12c22 \| Display string (Could not find end pointer)
2018-12-25T11:50:37.009455392Z	76	PC: 12c28 \| Terminate with return code (Return code = '0')