Sample viewer

vx.netlux.org/Virus.DOS.Rubbit.3164

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:38:37.351689045Z	48	PC: 139e3 \| Get DOS version
2018-12-17T22:38:37.353762941Z	82	PC: 13b5e \| Get DOS internal pointers (SYSVARS)
2018-12-17T22:38:37.356753125Z	53	PC: 12cc0 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:38:37.358198833Z	37	PC: 12cd0 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:38:37.360804994Z	42	PC: 12cd9 \| Get date 0x12cd9: cmp dx, 0x909 0x12cdd: jne 0x12ce4 0x12cdf: mov byte ptr [0x8d], 1 0x12ce4: mov es, word ptr [0x43] 0x12ce8: jmp 0x12b8b 0x12ceb: xor ax, ax 0x12ced: xor bx, bx 0x12cef: xor cx, cx 0x12cf1: xor dx, dx 0x12cf3: xor si, si 0x12cf5: xor di, di 0x12cf7: xor bp, bp 0x12cf9: ret 0x12cfa: mov ah, 0x52 0x12cfc: int 0x21 0x12cfe: mov es, word ptr es:[bx - 2] 0x12d02: mov dl, byte ptr es:[0] 0x12d07: cmp dl, 0x4d 0x12d0a: je 0x12d11 0x12d0c: cmp dl, 0x5a
2018-12-17T22:38:37.363692312Z	74	PC: 130ca \| Reallocate memory
2018-12-17T22:38:37.36592742Z	53	PC: 12ec7 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:37.368355222Z	37	PC: 12ed7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:37.377480371Z	61	PC: 12ee8 \| Open file (Filename = '�)2')
2018-12-17T22:38:37.385417571Z	62	PC: 13628 \| Close file
2018-12-17T22:38:37.388374603Z	66	PC: 130ca \| Move file pointer
2018-12-17T22:38:37.39042637Z	63	PC: 130ca \| Read file or device (Read 6 bytes on handle 6)
2018-12-17T22:38:37.394236293Z	62	PC: 12f18 \| Close file
2018-12-17T22:38:37.410068862Z	37	PC: 12e37 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:37.411880548Z	75	PC: 12c86 \| Execute program
2018-12-17T22:38:37.43732159Z	9	PC: 15647 \| Display string (String= 'Warning: Rubbit v2.2 come in ..!!')
2018-12-17T22:38:37.443018401Z	73	PC: 12c97 \| Release memory
2018-12-17T22:38:37.445482658Z	77	PC: 12c9b \| Get program return code
2018-12-17T22:38:37.446978305Z	49	PC: 12ca5 \| Terminate and stay resident (Return code = '0' \| Memory size = '433')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6637,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:01.695265175Z	48	PC: 139e3 \| Get DOS version
2018-12-25T12:00:01.697541056Z	82	PC: 13b5e \| Get DOS internal pointers (SYSVARS)
2018-12-25T12:00:01.699273835Z	53	PC: 12cc0 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:01.700482124Z	37	PC: 12cd0 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:01.702301625Z	42	PC: 12cd9 \| Get date 0x12cd9: cmp dx, 0x909 0x12cdd: jne 0x12ce4 0x12cdf: mov byte ptr [0x8d], 1 0x12ce4: mov es, word ptr [0x43] 0x12ce8: jmp 0x12b8b 0x12ceb: xor ax, ax 0x12ced: xor bx, bx 0x12cef: xor cx, cx 0x12cf1: xor dx, dx 0x12cf3: xor si, si 0x12cf5: xor di, di 0x12cf7: xor bp, bp 0x12cf9: ret 0x12cfa: mov ah, 0x52 0x12cfc: int 0x21 0x12cfe: mov es, word ptr es:[bx - 2] 0x12d02: mov dl, byte ptr es:[0] 0x12d07: cmp dl, 0x4d 0x12d0a: je 0x12d11 0x12d0c: cmp dl, 0x5a
2018-12-25T12:00:01.704223072Z	74	PC: 130ca \| Reallocate memory
2018-12-25T12:00:01.705625323Z	53	PC: 12ec7 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:01.711003741Z	37	PC: 12ed7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:01.712076716Z	61	PC: 12ee8 \| Open file (Filename = '�)2')
2018-12-25T12:00:01.718584421Z	62	PC: 13628 \| Close file
2018-12-25T12:00:01.72525899Z	66	PC: 130ca \| Move file pointer (See above)
2018-12-25T12:00:01.726861417Z	63	PC: 130ca \| Read file or device (See above)
2018-12-25T12:00:01.729587948Z	62	PC: 12f18 \| Close file
2018-12-25T12:00:01.731906846Z	37	PC: 12e37 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:01.733118655Z	75	PC: 12c86 \| Execute program
2018-12-25T12:00:01.747448426Z	9	PC: 15647 \| Display string (String= 'Warning: Rubbit v2.2 come in ..!!')
2018-12-25T12:00:01.751298018Z	73	PC: 12c97 \| Release memory
2018-12-25T12:00:01.752646252Z	77	PC: 12c9b \| Get program return code
2018-12-25T12:00:01.753658778Z	49	PC: 12ca5 \| Terminate and stay resident (Return code = '0' \| Memory size = '433')

{"DateBased":true,"Day":9,"Month":9,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":6637,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:01.819206932Z	48	PC: 139e3 \| Get DOS version
2018-12-25T12:00:01.821451217Z	82	PC: 13b5e \| Get DOS internal pointers (SYSVARS)
2018-12-25T12:00:01.823528868Z	53	PC: 12cc0 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:01.824841771Z	37	PC: 12cd0 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:01.826603655Z	42	PC: 12cd9 \| Get date 0x12cd9: cmp dx, 0x909 0x12cdd: jne 0x12ce4 0x12cdf: mov byte ptr [0x8d], 1 0x12ce4: mov es, word ptr [0x43] 0x12ce8: jmp 0x12b8b 0x12ceb: xor ax, ax 0x12ced: xor bx, bx 0x12cef: xor cx, cx 0x12cf1: xor dx, dx 0x12cf3: xor si, si 0x12cf5: xor di, di 0x12cf7: xor bp, bp 0x12cf9: ret 0x12cfa: mov ah, 0x52 0x12cfc: int 0x21 0x12cfe: mov es, word ptr es:[bx - 2] 0x12d02: mov dl, byte ptr es:[0] 0x12d07: cmp dl, 0x4d 0x12d0a: je 0x12d11 0x12d0c: cmp dl, 0x5a
2018-12-25T12:00:01.828721328Z	74	PC: 130ca \| Reallocate memory
2018-12-25T12:00:01.830212318Z	53	PC: 12ec7 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:01.831544098Z	37	PC: 12ed7 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:01.833041319Z	61	PC: 12ee8 \| Open file (Filename = '�)2')
2018-12-25T12:00:01.840225997Z	62	PC: 13628 \| Close file
2018-12-25T12:00:01.841858374Z	66	PC: 130ca \| Move file pointer (See above)
2018-12-25T12:00:01.849706856Z	63	PC: 130ca \| Read file or device (See above)
2018-12-25T12:00:01.852662034Z	62	PC: 12f18 \| Close file
2018-12-25T12:00:01.854352601Z	37	PC: 12e37 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:01.855920844Z	75	PC: 12c86 \| Execute program
2018-12-25T12:00:01.871377621Z	9	PC: 15647 \| Display string (String= 'Warning: Rubbit v2.2 come in ..!!')
2018-12-25T12:00:01.875541164Z	73	PC: 12c97 \| Release memory
2018-12-25T12:00:01.877231662Z	77	PC: 12c9b \| Get program return code
2018-12-25T12:00:01.878492618Z	49	PC: 12ca5 \| Terminate and stay resident (Return code = '0' \| Memory size = '433')