Sample viewer

vx.netlux.org/Virus.DOS.Sahand.2406

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:26:59.35937322Z	42	PC: 139e8 \| Get date 0x139e8: cmp cx, 0x70b 0x139ec: jb 0x13a0c 0x139ee: ja 0x139fc 0x139f0: cmp dh, 2 0x139f3: jb 0x13a0c 0x139f5: ja 0x139fc 0x139f7: cmp dl, 0x15 0x139fa: jb 0x13a0c 0x139fc: mov ax, 0xb73 0x139ff: mov bx, 0x7373 0x13a02: int 0x21 0x13a04: cmp ah, 0x73 0x13a07: je 0x13a0c 0x13a09: jmp 0x14277 0x13a0c: push cs 0x13a0d: pop ax 0x13a0e: push ds 0x13a0f: pop bx 0x13a10: sub ax, bx 0x13a12: jne 0x13a2c
2018-12-17T22:26:59.361848801Z	11	PC: 13a04 \| Get input status
2018-12-17T22:26:59.364954047Z	42	PC: 13349 \| Get date 0x13349: sub cx, word ptr [0x2b2] 0x1334d: jg 0x13364 0x1334f: jl 0x1335f 0x13351: sub dh, byte ptr [0x2b4] 0x13355: jg 0x1336e 0x13357: jl 0x1335f 0x13359: sub dl, byte ptr [0x2b5] 0x1335d: ja 0x13380 0x1335f: mov cx, 0 0x13362: jmp 0x13397 0x13364: sub dh, byte ptr [0x2b4] 0x13368: jae 0x1336e 0x1336a: add dh, 0xc 0x1336d: dec cx 0x1336e: sub dl, byte ptr [0x2b5] 0x13372: jae 0x13380 0x13374: add dl, 0x1e 0x13377: sub dh, 1 0x1337a: jae 0x13380 0x1337c: add dh, 0xc
2018-12-17T22:26:59.367442133Z	44	PC: 131f1 \| Get time 0x131f1: mov ax, 2 0x131f4: mul dl 0x131f6: add ax, 0x1e 0x131f9: mov word ptr [0x2a5], ax 0x131fc: mov ax, 0x3508 0x131ff: int 0x21 0x13201: mov word ptr [0x1c8], bx 0x13205: mov bx, es 0x13207: mov word ptr [0x1ca], bx 0x1320b: push cs 0x1320c: pop es 0x1320d: mov ax, 0x2508 0x13210: lea dx, word ptr [0x2cd] 0x13214: int 0x21 0x13216: mov ax, 0x3521 0x13219: int 0x21 0x1321b: mov word ptr [0x1cc], bx 0x1321f: mov bx, es 0x13221: mov word ptr [0x1ce], bx 0x13225: push cs
2018-12-17T22:26:59.369139752Z	53	PC: 13201 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:26:59.370825797Z	37	PC: 13216 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:26:59.371836807Z	53	PC: 1321b \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:26:59.372869627Z	37	PC: 13230 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:26:59.374724507Z	74	PC: 1325a \| Reallocate memory
2018-12-17T22:26:59.388243451Z	67	PC: 12ebb \| Get or set file attributes
2018-12-17T22:26:59.395565972Z	67	PC: 12ed3 \| Get or set file attributes
2018-12-17T22:26:59.409872176Z	65	PC: 12f32 \| Delete file (Filename = 'A:\CHKLIST.CPS')
2018-12-17T22:26:59.416601061Z	65	PC: 12f4e \| Delete file (Filename = 'A:\CHKLIST.MS')
2018-12-17T22:26:59.42425327Z	86	PC: 12f85 \| Rename file
2018-12-17T22:26:59.441904985Z	61	PC: 12f91 \| Open file (Filename = 'A:\TEST.TXT')
2018-12-17T22:26:59.45055014Z	66	PC: 12fa6 \| Move file pointer
2018-12-17T22:26:59.451811907Z	66	PC: 12fc9 \| Move file pointer
2018-12-17T22:26:59.453037961Z	63	PC: 12fdb \| Read file or device (Read 8 bytes on handle 5)
2018-12-17T22:26:59.458177873Z	62	PC: 131a2 \| Close file
2018-12-17T22:26:59.459780494Z	86	PC: 131b1 \| Rename file
2018-12-17T22:26:59.46772023Z	67	PC: 131c1 \| Get or set file attributes
2018-12-17T22:26:59.475402188Z	75	PC: 132b3 \| Execute program
2018-12-17T22:26:59.486556578Z	42	PC: 148b8 \| Get date 0x148b8: cmp cx, 0x70b 0x148bc: jb 0x148dc 0x148be: ja 0x148cc 0x148c0: cmp dh, 2 0x148c3: jb 0x148dc 0x148c5: ja 0x148cc 0x148c7: cmp dl, 0x15 0x148ca: jb 0x148dc 0x148cc: mov ax, 0xb73 0x148cf: mov bx, 0x7373 0x148d2: int 0x21 0x148d4: cmp ah, 0x73 0x148d7: je 0x148dc 0x148d9: jmp 0x15147 0x148dc: push cs 0x148dd: pop ax 0x148de: push ds 0x148df: pop bx 0x148e0: sub ax, bx 0x148e2: jne 0x148fc
2018-12-17T22:26:59.48829869Z	9	PC: 13952 \| Display string (String= 'Goat file (EXE). Size=000011A0h/0000004512d bytes. ')
2018-12-17T22:26:59.492074262Z	76	PC: 13956 \| Terminate with return code (Return code = '36')
2018-12-17T22:26:59.494414006Z	73	PC: 132c1 \| Release memory
2018-12-17T22:26:59.495695576Z	77	PC: 132c6 \| Get program return code
2018-12-17T22:26:59.497435616Z	49	PC: 132d7 \| Terminate and stay resident (Return code = '36' \| Memory size = '231')