Sample viewer

vx.netlux.org/Virus.DOS.BlackSun.2372

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:24:34.488576922Z 48 PC: 13e78 | Get DOS version
2018-12-17T22:24:34.490969441Z 170 PC: 13e8a | UNKNOWN!
2018-12-17T22:24:34.492196444Z 42 PC: 13e93 | Get date 0x13e93: cmp cx, 0x7cc
0x13e97: jb 0x13e9c
0x13e99: call 0x13ece
0x13e9c: add si, 0x928
0x13ea0: cmp word ptr cs:[si], 0x5a4d
0x13ea5: je 0x13eb0
0x13ea7: mov di, 0x100
0x13eaa: push di
0x13eab: cld
0x13eac: movsw word ptr es:[di], word ptr [si]
0x13ead: movsw word ptr es:[di], word ptr [si]
0x13eae: movsw word ptr es:[di], word ptr [si]
0x13eaf: ret
0x13eb0: mov ax, ds
0x13eb2: add ax, 0x10
0x13eb5: mov bx, ax
0x13eb7: add ax, word ptr cs:[si + 0xe]
0x13ebb: cli
0x13ebc: mov ss, ax
0x13ebe: mov sp, word ptr cs:[si + 0x10]
2018-12-17T22:24:34.494942763Z 82 PC: 13ed6 | Get DOS internal pointers (SYSVARS)
2018-12-17T22:24:34.497376985Z 255 PC: 13f26 | UNKNOWN!
2018-12-17T22:24:34.498365335Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-17T22:24:34.504984187Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":4321,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:51:25.581374084Z 48 PC: 13e78 | Get DOS version
2018-12-25T11:51:25.583381791Z 170 PC: 13e8a | UNKNOWN!
2018-12-25T11:51:25.584060006Z 42 PC: 13e93 | Get date 0x13e93: cmp cx, 0x7cc
0x13e97: jb 0x13e9c
0x13e99: call 0x13ece
0x13e9c: add si, 0x928
0x13ea0: cmp word ptr cs:[si], 0x5a4d
0x13ea5: je 0x13eb0
0x13ea7: mov di, 0x100
0x13eaa: push di
0x13eab: cld
0x13eac: movsw word ptr es:[di], word ptr [si]
0x13ead: movsw word ptr es:[di], word ptr [si]
0x13eae: movsw word ptr es:[di], word ptr [si]
0x13eaf: ret
0x13eb0: mov ax, ds
0x13eb2: add ax, 0x10
0x13eb5: mov bx, ax
0x13eb7: add ax, word ptr cs:[si + 0xe]
0x13ebb: cli
0x13ebc: mov ss, ax
0x13ebe: mov sp, word ptr cs:[si + 0x10]
2018-12-25T11:51:25.586031157Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T11:51:25.591659445Z 0 PC: 12a89 | Program terminate

{"DateBased":true,"Day":1,"Month":1,"Year":1996,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":4321,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:51:25.922629822Z 48 PC: 13e78 | Get DOS version
2018-12-25T11:51:25.926527801Z 170 PC: 13e8a | UNKNOWN!
2018-12-25T11:51:25.927157082Z 42 PC: 13e93 | Get date 0x13e93: cmp cx, 0x7cc
0x13e97: jb 0x13e9c
0x13e99: call 0x13ece
0x13e9c: add si, 0x928
0x13ea0: cmp word ptr cs:[si], 0x5a4d
0x13ea5: je 0x13eb0
0x13ea7: mov di, 0x100
0x13eaa: push di
0x13eab: cld
0x13eac: movsw word ptr es:[di], word ptr [si]
0x13ead: movsw word ptr es:[di], word ptr [si]
0x13eae: movsw word ptr es:[di], word ptr [si]
0x13eaf: ret
0x13eb0: mov ax, ds
0x13eb2: add ax, 0x10
0x13eb5: mov bx, ax
0x13eb7: add ax, word ptr cs:[si + 0xe]
0x13ebb: cli
0x13ebc: mov ss, ax
0x13ebe: mov sp, word ptr cs:[si + 0x10]
2018-12-25T11:51:25.92858408Z 82 PC: 13ed6 | Get DOS internal pointers (SYSVARS)
2018-12-25T11:51:25.934988143Z 255 PC: 13f26 | UNKNOWN!
2018-12-25T11:51:25.942220604Z 9 PC: 12a85 | Display string (String= 'Sophos Ltd, Oxford sacrificial COM goat 1400H bytes long ')
2018-12-25T11:51:25.947330475Z 0 PC: 12a89 | Program terminate