Sample viewer

vx.netlux.org/Virus.DOS.Coconut.2071

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:38:06.73077092Z	48	PC: 12e36 \| Get DOS version
2018-12-17T22:38:06.73765162Z	42	PC: 12e71 \| Get date 0x12e71: cmp dh, 3 0x12e74: jne 0x12e7e 0x12e76: cmp dl, 0xe 0x12e79: jne 0x12e7e 0x12e7b: jmp 0x13044 0x12e7e: push ds 0x12e7f: push es 0x12e80: sub ax, ax 0x12e82: mov ds, ax 0x12e84: cli 0x12e85: les ax, ptr [0xc] 0x12e89: mov word ptr cs:[bp + 0x8fa], ax 0x12e8e: mov word ptr cs:[bp + 0x8fc], es 0x12e93: les ax, ptr [0x84] 0x12e97: mov word ptr [0xc], ax 0x12e9a: mov word ptr [0xe], es 0x12e9e: sti 0x12e9f: pop es 0x12ea0: pop ds 0x12ea1: mov byte ptr [bp + 0x911], 0
2018-12-17T22:38:06.750452639Z	71	PC: 12eaf \| Get current directory
2018-12-17T22:38:06.76675361Z	26	PC: 12eb6 \| Set disk transfer address
2018-12-17T22:38:06.768248026Z	78	PC: 12ec0 \| Find first file
2018-12-17T22:38:06.776454616Z	67	PC: 12eea \| Get or set file attributes
2018-12-17T22:38:08.017757942Z	61	PC: 12ef2 \| Open file (Filename = 'TEST.EXE')
2018-12-17T22:38:08.025514938Z	63	PC: 12efd \| Read file or device (Read 26 bytes on handle 5)
2018-12-17T22:38:08.030717226Z	67	PC: 13034 \| Get or set file attributes
2018-12-17T22:38:08.19061864Z	87	PC: 13040 \| Get or set file date and time
2018-12-17T22:38:08.192912016Z	62	PC: 13043 \| Close file
2018-12-17T22:38:08.346043347Z	79	PC: 12f80 \| Find next file
2018-12-17T22:38:08.349168745Z	59	PC: 12f8d \| Change current directory
2018-12-17T22:38:08.355317731Z	67	PC: 13034 \| Get or set file attributes
2018-12-17T22:38:08.39569789Z	87	PC: 13040 \| Get or set file date and time
2018-12-17T22:38:08.397791988Z	62	PC: 13043 \| Close file
2018-12-17T22:38:08.399853886Z	79	PC: 12f80 \| Find next file
2018-12-17T22:38:08.403032315Z	59	PC: 12f8d \| Change current directory
2018-12-17T22:38:08.414633532Z	26	PC: 13004 \| Set disk transfer address
2018-12-17T22:38:08.416069976Z	59	PC: 1300b \| Change current directory
2018-12-17T22:38:08.421013033Z	9	PC: 12a4b \| Display string (String= '')
2018-12-17T22:38:08.426779579Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6563,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:50.542714308Z	48	PC: 12e36 \| Get DOS version
2018-12-25T11:59:50.546187997Z	42	PC: 12e71 \| Get date 0x12e71: cmp dh, 3 0x12e74: jne 0x12e7e 0x12e76: cmp dl, 0xe 0x12e79: jne 0x12e7e 0x12e7b: jmp 0x13044 0x12e7e: push ds 0x12e7f: push es 0x12e80: sub ax, ax 0x12e82: mov ds, ax 0x12e84: cli 0x12e85: les ax, ptr [0xc] 0x12e89: mov word ptr cs:[bp + 0x8fa], ax 0x12e8e: mov word ptr cs:[bp + 0x8fc], es 0x12e93: les ax, ptr [0x84] 0x12e97: mov word ptr [0xc], ax 0x12e9a: mov word ptr [0xe], es 0x12e9e: sti 0x12e9f: pop es 0x12ea0: pop ds 0x12ea1: mov byte ptr [bp + 0x911], 0
2018-12-25T11:59:50.548749768Z	71	PC: 12eaf \| Get current directory
2018-12-25T11:59:50.56008836Z	26	PC: 12eb6 \| Set disk transfer address
2018-12-25T11:59:50.561978927Z	78	PC: 12ec0 \| Find first file
2018-12-25T11:59:50.571629697Z	67	PC: 12eea \| Get or set file attributes
2018-12-25T11:59:50.589703788Z	61	PC: 12ef2 \| Open file (Filename = 'TEST.EXE')
2018-12-25T11:59:50.598017367Z	63	PC: 12efd \| Read file or device (Read 26 bytes on handle 5)
2018-12-25T11:59:50.602143294Z	67	PC: 13034 \| Get or set file attributes
2018-12-25T11:59:50.620562077Z	87	PC: 13040 \| Get or set file date and time
2018-12-25T11:59:50.624237062Z	62	PC: 13043 \| Close file
2018-12-25T11:59:50.639965747Z	79	PC: 12f80 \| Find next file
2018-12-25T11:59:50.646054926Z	59	PC: 12f8d \| Change current directory
2018-12-25T11:59:50.651901807Z	67	PC: 13034 \| Get or set file attributes (See above)
2018-12-25T11:59:50.664443032Z	87	PC: 13040 \| Get or set file date and time (See above)
2018-12-25T11:59:50.667053805Z	62	PC: 13043 \| Close file (See above)
2018-12-25T11:59:50.669121444Z	79	PC: 12f80 \| Find next file (See above)
2018-12-25T11:59:50.672136897Z	59	PC: 12f8d \| Change current directory (See above)
2018-12-25T11:59:50.678147184Z	26	PC: 13004 \| Set disk transfer address
2018-12-25T11:59:50.680277663Z	59	PC: 1300b \| Change current directory
2018-12-25T11:59:50.685201304Z	9	PC: 12a4b \| Display string (String= '')
2018-12-25T11:59:50.688765724Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":3,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6563,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:50.577068415Z	48	PC: 12e36 \| Get DOS version
2018-12-25T11:59:50.581007641Z	42	PC: 12e71 \| Get date 0x12e71: cmp dh, 3 0x12e74: jne 0x12e7e 0x12e76: cmp dl, 0xe 0x12e79: jne 0x12e7e 0x12e7b: jmp 0x13044 0x12e7e: push ds 0x12e7f: push es 0x12e80: sub ax, ax 0x12e82: mov ds, ax 0x12e84: cli 0x12e85: les ax, ptr [0xc] 0x12e89: mov word ptr cs:[bp + 0x8fa], ax 0x12e8e: mov word ptr cs:[bp + 0x8fc], es 0x12e93: les ax, ptr [0x84] 0x12e97: mov word ptr [0xc], ax 0x12e9a: mov word ptr [0xe], es 0x12e9e: sti 0x12e9f: pop es 0x12ea0: pop ds 0x12ea1: mov byte ptr [bp + 0x911], 0
2018-12-25T11:59:50.584358342Z	71	PC: 12eaf \| Get current directory
2018-12-25T11:59:50.587656436Z	26	PC: 12eb6 \| Set disk transfer address
2018-12-25T11:59:50.588959683Z	78	PC: 12ec0 \| Find first file
2018-12-25T11:59:50.596363549Z	67	PC: 12eea \| Get or set file attributes
2018-12-25T11:59:50.620747473Z	61	PC: 12ef2 \| Open file (Filename = 'TEST.EXE')
2018-12-25T11:59:50.628919087Z	63	PC: 12efd \| Read file or device (Read 26 bytes on handle 5)
2018-12-25T11:59:50.634430989Z	67	PC: 13034 \| Get or set file attributes
2018-12-25T11:59:50.646041468Z	87	PC: 13040 \| Get or set file date and time
2018-12-25T11:59:50.648133268Z	62	PC: 13043 \| Close file
2018-12-25T11:59:50.656692665Z	79	PC: 12f80 \| Find next file
2018-12-25T11:59:50.659748911Z	59	PC: 12f8d \| Change current directory
2018-12-25T11:59:50.664851099Z	67	PC: 13034 \| Get or set file attributes (See above)
2018-12-25T11:59:50.676472648Z	87	PC: 13040 \| Get or set file date and time (See above)
2018-12-25T11:59:50.690306874Z	62	PC: 13043 \| Close file (See above)
2018-12-25T11:59:50.692439446Z	79	PC: 12f80 \| Find next file (See above)
2018-12-25T11:59:50.695519614Z	59	PC: 12f8d \| Change current directory (See above)
2018-12-25T11:59:50.701831983Z	26	PC: 13004 \| Set disk transfer address
2018-12-25T11:59:50.70344346Z	59	PC: 1300b \| Change current directory
2018-12-25T11:59:50.708407525Z	9	PC: 12a4b \| Display string (String= '')
2018-12-25T11:59:50.712244704Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":14,"Month":3,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6563,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:59:50.57947442Z	48	PC: 12e36 \| Get DOS version
2018-12-25T11:59:50.582974295Z	42	PC: 12e71 \| Get date 0x12e71: cmp dh, 3 0x12e74: jne 0x12e7e 0x12e76: cmp dl, 0xe 0x12e79: jne 0x12e7e 0x12e7b: jmp 0x13044 0x12e7e: push ds 0x12e7f: push es 0x12e80: sub ax, ax 0x12e82: mov ds, ax 0x12e84: cli 0x12e85: les ax, ptr [0xc] 0x12e89: mov word ptr cs:[bp + 0x8fa], ax 0x12e8e: mov word ptr cs:[bp + 0x8fc], es 0x12e93: les ax, ptr [0x84] 0x12e97: mov word ptr [0xc], ax 0x12e9a: mov word ptr [0xe], es 0x12e9e: sti 0x12e9f: pop es 0x12ea0: pop ds 0x12ea1: mov byte ptr [bp + 0x911], 0