Sample viewer

vx.netlux.org/Virus.DOS.Crooked.979

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:15:30.714571767Z	53	PC: 12a85 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:15:30.716209305Z	53	PC: 12a8c \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T23:15:30.717296679Z	37	PC: 12cb5 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:15:30.718122211Z	48	PC: 12a9d \| Get DOS version
2018-12-17T23:15:30.718936882Z	26	PC: 12b29 \| Set disk transfer address
2018-12-17T23:15:30.72038823Z	78	PC: 12ce3 \| Find first file
2018-12-17T23:15:30.724403637Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.726057826Z	78	PC: 12ce3 \| Find first file
2018-12-17T23:15:30.731839835Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.734142974Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.736459017Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.739104039Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.741240956Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.743452994Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.746173337Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.748408037Z	61	PC: 12d19 \| Open file (Filename = '')
2018-12-17T23:15:30.754195335Z	63	PC: 12d68 \| Read file or device (Read 979 bytes on handle 5)
2018-12-17T23:15:30.7611352Z	62	PC: 12d57 \| Close file
2018-12-17T23:15:30.762675104Z	79	PC: 12ced \| Find next file
2018-12-17T23:15:30.765409414Z	42	PC: 12b3f \| Get date 0x12b3f: cmp cx, 0x7c8 0x12b43: jb 0x12b6d 0x12b45: mov ah, 0x2c 0x12b47: int 0x21 0x12b49: test dh, 0xf 0x12b4c: jne 0x12b6d 0x12b4e: push cs 0x12b4f: pop ds 0x12b50: mov cx, 0xdd 0x12b53: mov si, 0x28a 0x12b56: call 0x12bc3 0x12b59: mov dx, 0x28a 0x12b5c: mov ah, 9 0x12b5e: int 0x21 0x12b60: mov dl, 0xff 0x12b62: mov ax, 0xc06 0x12b65: int 0x21 0x12b67: je 0x12b60 0x12b69: cmp al, 0xd 0x12b6b: jne 0x12b60
2018-12-17T23:15:30.767933669Z	44	PC: 12b49 \| Get time 0x12b49: test dh, 0xf 0x12b4c: jne 0x12b6d 0x12b4e: push cs 0x12b4f: pop ds 0x12b50: mov cx, 0xdd 0x12b53: mov si, 0x28a 0x12b56: call 0x12bc3 0x12b59: mov dx, 0x28a 0x12b5c: mov ah, 9 0x12b5e: int 0x21 0x12b60: mov dl, 0xff 0x12b62: mov ax, 0xc06 0x12b65: int 0x21 0x12b67: je 0x12b60 0x12b69: cmp al, 0xd 0x12b6b: jne 0x12b60 0x12b6d: mov cx, 0x3d3 0x12b70: pop si 0x12b71: add si, di 0x12b73: pop dx
2018-12-17T23:15:30.769815346Z	37	PC: 12cdb \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T23:15:30.770777294Z	37	PC: 12cb5 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:15:30.772288574Z	26	PC: 12b8f \| Set disk transfer address
2018-12-17T23:15:30.773527142Z	9	PC: 12e26 \| Display string (String= 'Hello - Copyright S & S International, 1990 ')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6206,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:58:49.062196091Z	53	PC: 12a85 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:58:49.063627699Z	53	PC: 12a8c \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:58:49.064948273Z	37	PC: 12cb5 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:58:49.066078029Z	48	PC: 12a9d \| Get DOS version
2018-12-25T11:58:49.067676663Z	26	PC: 12b29 \| Set disk transfer address
2018-12-25T11:58:49.068696272Z	78	PC: 12ce3 \| Find first file
2018-12-25T11:58:49.077505735Z	79	PC: 12ced \| Find next file
2018-12-25T11:58:49.079374421Z	78	PC: 12ce3 \| Find first file (See above)
2018-12-25T11:58:49.086559339Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.08894367Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.091298081Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.094361549Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.096744752Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.099049544Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.102397166Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.104798109Z	61	PC: 12d19 \| Open file (Filename = '')
2018-12-25T11:58:49.110994959Z	63	PC: 12d68 \| Read file or device (Read 979 bytes on handle 5)
2018-12-25T11:58:49.118362054Z	62	PC: 12d57 \| Close file
2018-12-25T11:58:49.120316787Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.122900053Z	42	PC: 12b3f \| Get date 0x12b3f: cmp cx, 0x7c8 0x12b43: jb 0x12b6d 0x12b45: mov ah, 0x2c 0x12b47: int 0x21 0x12b49: test dh, 0xf 0x12b4c: jne 0x12b6d 0x12b4e: push cs 0x12b4f: pop ds 0x12b50: mov cx, 0xdd 0x12b53: mov si, 0x28a 0x12b56: call 0x12bc3 0x12b59: mov dx, 0x28a 0x12b5c: mov ah, 9 0x12b5e: int 0x21 0x12b60: mov dl, 0xff 0x12b62: mov ax, 0xc06 0x12b65: int 0x21 0x12b67: je 0x12b60 0x12b69: cmp al, 0xd 0x12b6b: jne 0x12b60
2018-12-25T11:58:49.125395725Z	37	PC: 12cdb \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:58:49.126775101Z	37	PC: 12cb5 \| Set interrupt vector (See above)
2018-12-25T11:58:49.12815685Z	26	PC: 12b8f \| Set disk transfer address
2018-12-25T11:58:49.130326085Z	9	PC: 12e26 \| Display string (String= 'Hello - Copyright S & S International, 1990 ')

{"DateBased":true,"Day":1,"Month":1,"Year":1992,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6206,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:58:49.514419383Z	53	PC: 12a85 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:58:49.516009863Z	53	PC: 12a8c \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:58:49.517376107Z	37	PC: 12cb5 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:58:49.518536566Z	48	PC: 12a9d \| Get DOS version
2018-12-25T11:58:49.519875928Z	26	PC: 12b29 \| Set disk transfer address
2018-12-25T11:58:49.52129269Z	78	PC: 12ce3 \| Find first file
2018-12-25T11:58:49.527717036Z	79	PC: 12ced \| Find next file
2018-12-25T11:58:49.529509152Z	78	PC: 12ce3 \| Find first file (See above)
2018-12-25T11:58:49.536089625Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.538835283Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.540687265Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.543496781Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.545359221Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.547175648Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.563448274Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.565871288Z	61	PC: 12d19 \| Open file (Filename = '')
2018-12-25T11:58:49.570368298Z	63	PC: 12d68 \| Read file or device (Read 979 bytes on handle 5)
2018-12-25T11:58:49.575692263Z	62	PC: 12d57 \| Close file
2018-12-25T11:58:49.578242055Z	79	PC: 12ced \| Find next file (See above)
2018-12-25T11:58:49.581364848Z	42	PC: 12b3f \| Get date 0x12b3f: cmp cx, 0x7c8 0x12b43: jb 0x12b6d 0x12b45: mov ah, 0x2c 0x12b47: int 0x21 0x12b49: test dh, 0xf 0x12b4c: jne 0x12b6d 0x12b4e: push cs 0x12b4f: pop ds 0x12b50: mov cx, 0xdd 0x12b53: mov si, 0x28a 0x12b56: call 0x12bc3 0x12b59: mov dx, 0x28a 0x12b5c: mov ah, 9 0x12b5e: int 0x21 0x12b60: mov dl, 0xff 0x12b62: mov ax, 0xc06 0x12b65: int 0x21 0x12b67: je 0x12b60 0x12b69: cmp al, 0xd 0x12b6b: jne 0x12b60
2018-12-25T11:58:49.584545163Z	44	PC: 12b49 \| Get time 0x12b49: test dh, 0xf 0x12b4c: jne 0x12b6d 0x12b4e: push cs 0x12b4f: pop ds 0x12b50: mov cx, 0xdd 0x12b53: mov si, 0x28a 0x12b56: call 0x12bc3 0x12b59: mov dx, 0x28a 0x12b5c: mov ah, 9 0x12b5e: int 0x21 0x12b60: mov dl, 0xff 0x12b62: mov ax, 0xc06 0x12b65: int 0x21 0x12b67: je 0x12b60 0x12b69: cmp al, 0xd 0x12b6b: jne 0x12b60 0x12b6d: mov cx, 0x3d3 0x12b70: pop si 0x12b71: add si, di 0x12b73: pop dx
2018-12-25T11:58:49.586964197Z	37	PC: 12cdb \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:58:49.588073111Z	37	PC: 12cb5 \| Set interrupt vector (See above)
2018-12-25T11:58:49.589369247Z	26	PC: 12b8f \| Set disk transfer address
2018-12-25T11:58:49.591411983Z	9	PC: 12e26 \| Display string (String= 'Hello - Copyright S & S International, 1990 ')