Sample viewer

vx.netlux.org/Trojan.DOS.Tufelen

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:38:40.03202099Z	48	PC: 188dc \| Get DOS version
2018-12-17T22:38:40.035099985Z	74	PC: 1892c \| Reallocate memory
2018-12-17T22:38:40.037088087Z	48	PC: 18990 \| Get DOS version
2018-12-17T22:38:40.038471561Z	53	PC: 18998 \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:38:40.040861328Z	37	PC: 189aa \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:38:40.04406632Z	53	PC: 1b032 \| Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:38:40.04568122Z	37	PC: 1b042 \| Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:38:40.048020022Z	53	PC: 1b047 \| Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:38:40.050321894Z	37	PC: 1b057 \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:38:40.051889855Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:38:40.056713233Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:38:40.05938388Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:38:40.061577609Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:38:40.064200996Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:38:40.071097566Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:38:40.072665287Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:38:40.07423456Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:38:40.077006207Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:38:40.078552978Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:38:40.080512105Z	53	PC: 18d86 \| Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:38:40.083003464Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:38:40.084629755Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:38:40.086226941Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:38:40.089525069Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:38:40.095034919Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:38:40.097744799Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:38:40.104879076Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:38:40.106672792Z	37	PC: 18db5 \| Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:38:40.109194338Z	37	PC: 18dbc \| Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:38:40.1150293Z	37	PC: 18dc1 \| Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:38:40.118014018Z	68	PC: 18a3b \| I/O control for devices (Set for = '')
2018-12-17T22:38:40.128977913Z	68	PC: 18a3b \| I/O control for devices (Set for = 'P')
2018-12-17T22:38:40.131766281Z	68	PC: 18a3b \| I/O control for devices (Set for = '�� 櫋6')
2018-12-17T22:38:40.13374756Z	68	PC: 18a3b \| I/O control for devices (Set for = '4��6')
2018-12-17T22:38:40.135739339Z	68	PC: 18a3b \| I/O control for devices (Set for = '4��6')
2018-12-17T22:38:40.138815769Z	53	PC: 166b2 \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:38:40.14134545Z	53	PC: 166bf \| Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:38:40.143067671Z	53	PC: 166cc \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:40.144817555Z	37	PC: 166e1 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:38:40.147041049Z	37	PC: 166e9 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:38:40.148547965Z	37	PC: 166f1 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:40.150566644Z	53	PC: 17170 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:38:40.155596872Z	53	PC: 1717d \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:38:40.157513579Z	53	PC: 1718c \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:38:40.15905467Z	37	PC: 17199 \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:38:40.161683768Z	53	PC: 171a0 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:38:40.164260277Z	37	PC: 171ad \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:38:40.165935239Z	53	PC: 171b9 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:38:40.175460407Z	48	PC: 1727b \| Get DOS version
2018-12-17T22:38:40.178486863Z	74	PC: 1510d \| Reallocate memory
2018-12-17T22:38:40.183342662Z	74	PC: 1510d \| Reallocate memory
2018-12-17T22:38:40.186648264Z	68	PC: 16628 \| I/O control for devices (Set for = 'echo.')
2018-12-17T22:38:40.1925651Z	68	PC: 16628 \| I/O control for devices (Set for = '')
2018-12-17T22:38:40.196961854Z	51	PC: 16646 \| Get or set Ctrl-Break
2018-12-17T22:38:40.198276698Z	51	PC: 16652 \| Get or set Ctrl-Break
2018-12-17T22:38:40.200707213Z	72	PC: 13510 \| Allocate memory
2018-12-17T22:38:40.203563158Z	74	PC: 1510d \| Reallocate memory
2018-12-17T22:38:40.2056786Z	72	PC: 13510 \| Allocate memory
2018-12-17T22:38:40.210542524Z	37	PC: 14437 \| Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:38:40.217822646Z	25	PC: 1368a \| Get default drive
2018-12-17T22:38:40.219470247Z	71	PC: 1369a \| Get current directory
2018-12-17T22:38:40.22445554Z	61	PC: 13c6c \| Open file (Filename = 'A:\TMMCONTR.BAT')
2018-12-17T22:38:40.23227682Z	60	PC: 13b31 \| Create or truncate file
2018-12-17T22:38:40.250194122Z	62	PC: 13a9f \| Close file
2018-12-17T22:38:40.253278196Z	61	PC: 13c6c \| Open file (Filename = 'A:\TMMCONTR.BAT')
2018-12-17T22:38:40.263162539Z	68	PC: 13bc5 \| I/O control for devices (Set for = 'YoU ArE InFeCt WiTh...�')
2018-12-17T22:38:40.266392839Z	64	PC: 13a8e \| Write file or device (Write 0 bytes on handle 5)
2018-12-17T22:38:40.270132257Z	64	PC: 13a8e \| Write file or device (Write 120 bytes on handle 5)
2018-12-17T22:38:40.276021952Z	66	PC: 13841 \| Move file pointer
2018-12-17T22:38:40.278046743Z	62	PC: 13a9f \| Close file
2018-12-17T22:38:40.290395434Z	73	PC: 13510 \| Release memory
2018-12-17T22:38:40.295326554Z	74	PC: 1510d \| Reallocate memory
2018-12-17T22:38:40.297782868Z	51	PC: 1665d \| Get or set Ctrl-Break
2018-12-17T22:38:40.29918677Z	37	PC: 168df \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:38:40.301644105Z	37	PC: 168e9 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T22:38:40.303742204Z	37	PC: 168f3 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:40.305554284Z	53	PC: 14b3a \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:38:40.323678095Z	53	PC: 14b47 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:38:40.324962893Z	53	PC: 14b54 \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:38:40.326376955Z	37	PC: 14b6f \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T22:38:40.327908267Z	53	PC: 14b77 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:38:40.330427558Z	37	PC: 14b84 \| Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T22:38:40.331651762Z	53	PC: 14b8b \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:38:40.332792008Z	37	PC: 14b98 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T22:38:40.335491398Z	37	PC: 14ba2 \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T22:38:40.336844845Z	37	PC: 14bad \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T22:38:40.3381546Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:38:40.339924742Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:38:40.341096688Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:38:40.342397706Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:38:40.345077931Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:38:40.347187331Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:38:40.348346062Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:38:40.352619896Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:38:40.354532515Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:38:40.355971013Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:38:40.358539928Z	37	PC: 18dd1 \| Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:38:40.360467425Z	37	PC: 1b066 \| Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:38:40.362045696Z	37	PC: 18aec \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:38:40.366281187Z	41	PC: 187d5 \| Parse filename
2018-12-17T22:38:40.36804646Z	41	PC: 187d7 \| Parse filename
2018-12-17T22:38:40.370686148Z	41	PC: 187dc \| Parse filename
2018-12-17T22:38:40.374671699Z	75	PC: 187f2 \| Execute program
2018-12-17T22:38:40.409735722Z	80	PC: 1e5c9 \| Set current PSP
2018-12-17T22:38:40.410972069Z	48	PC: 1e5ce \| Get DOS version
2018-12-17T22:38:40.413609423Z	99	PC: 24db0 \| Get DBCS lead byte table pointer
2018-12-17T22:38:40.416617815Z	101	PC: 1e654 \| Get extended country info
2018-12-17T22:38:40.418312615Z	99	PC: 1e65a \| Get DBCS lead byte table pointer
2018-12-17T22:38:40.420459856Z	74	PC: 1e6bc \| Reallocate memory
2018-12-17T22:38:40.42240119Z	25	PC: 1e6f3 \| Get default drive
2018-12-17T22:38:40.423956628Z	37	PC: 1e1b3 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T22:38:40.426297674Z	37	PC: 1e1ba \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:38:40.428222577Z	37	PC: 1e1c1 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:38:40.432875052Z	74	PC: 1d35c \| Reallocate memory
2018-12-17T22:38:40.4354774Z	72	PC: 1d39d \| Allocate memory
2018-12-17T22:38:40.437891173Z	72	PC: 1d3d5 \| Allocate memory
2018-12-17T22:38:40.440010712Z	72	PC: 1d3dd \| Allocate memory