Sample viewer

vx.netlux.org/Virus.DOS.IDEA.6126

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:40:38.625456385Z	105	PC: 12d6b \| Get or set media id
2018-12-17T22:40:38.627639173Z	74	PC: 12d7b \| Reallocate memory
2018-12-17T22:40:38.629504257Z	74	PC: 12d84 \| Reallocate memory
2018-12-17T22:40:38.631007569Z	72	PC: 12d8c \| Allocate memory
2018-12-17T22:40:38.633483654Z	53	PC: 12db2 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:40:38.635025248Z	37	PC: 12dc4 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:40:38.636953313Z	44	PC: 1319a \| Get time 0x1319a: cmp cl, 0x1e 0x1319d: jne 0x131a7 0x1319f: cmp dh, 0xf 0x131a2: ja 0x131a7 0x131a4: call 0x13adb 0x131a7: pop ds 0x131a8: pop es 0x131a9: cmp byte ptr cs:[0], 0xcd 0x131af: je 0x131d5 0x131b1: mov ax, es 0x131b3: add ax, 0x10 0x131b6: add word ptr cs:[bp + 0x88f], ax 0x131bb: cli 0x131bc: add ax, word ptr cs:[bp + 0x891] 0x131c1: mov ss, ax 0x131c3: mov sp, word ptr cs:[bp + 0x893] 0x131c8: sti 0x131c9: call 0x132cd 0x131cc: ljmp 0x9090:0x9090 0x131d1: nop
2018-12-17T22:40:38.639538722Z	9	PC: 12a4b \| Display string (String= 'fake host')
2018-12-17T22:40:38.64223237Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":7046,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:49.621849688Z	105	PC: 12d6b \| Get or set media id
2018-12-25T12:00:49.623707153Z	74	PC: 12d7b \| Reallocate memory
2018-12-25T12:00:49.625646752Z	74	PC: 12d84 \| Reallocate memory
2018-12-25T12:00:49.627487013Z	72	PC: 12d8c \| Allocate memory
2018-12-25T12:00:49.630261354Z	53	PC: 12db2 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:49.631570315Z	37	PC: 12dc4 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:49.633308703Z	44	PC: 1319a \| Get time 0x1319a: cmp cl, 0x1e 0x1319d: jne 0x131a7 0x1319f: cmp dh, 0xf 0x131a2: ja 0x131a7 0x131a4: call 0x13adb 0x131a7: pop ds 0x131a8: pop es 0x131a9: cmp byte ptr cs:[0], 0xcd 0x131af: je 0x131d5 0x131b1: mov ax, es 0x131b3: add ax, 0x10 0x131b6: add word ptr cs:[bp + 0x88f], ax 0x131bb: cli 0x131bc: add ax, word ptr cs:[bp + 0x891] 0x131c1: mov ss, ax 0x131c3: mov sp, word ptr cs:[bp + 0x893] 0x131c8: sti 0x131c9: call 0x132cd 0x131cc: ljmp 0x9090:0x9090 0x131d1: nop
2018-12-25T12:00:49.637073195Z	9	PC: 12a4b \| Display string (String= 'fake host')
2018-12-25T12:00:49.639854518Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":0,"TimeBased":true,"OriginalID":7046,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:49.668090356Z	105	PC: 12d6b \| Get or set media id
2018-12-25T12:00:49.669600916Z	74	PC: 12d7b \| Reallocate memory
2018-12-25T12:00:49.671294627Z	74	PC: 12d84 \| Reallocate memory
2018-12-25T12:00:49.672926248Z	72	PC: 12d8c \| Allocate memory
2018-12-25T12:00:49.675613429Z	53	PC: 12db2 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:49.678596665Z	37	PC: 12dc4 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:49.679714297Z	44	PC: 1319a \| Get time 0x1319a: cmp cl, 0x1e 0x1319d: jne 0x131a7 0x1319f: cmp dh, 0xf 0x131a2: ja 0x131a7 0x131a4: call 0x13adb 0x131a7: pop ds 0x131a8: pop es 0x131a9: cmp byte ptr cs:[0], 0xcd 0x131af: je 0x131d5 0x131b1: mov ax, es 0x131b3: add ax, 0x10 0x131b6: add word ptr cs:[bp + 0x88f], ax 0x131bb: cli 0x131bc: add ax, word ptr cs:[bp + 0x891] 0x131c1: mov ss, ax 0x131c3: mov sp, word ptr cs:[bp + 0x893] 0x131c8: sti 0x131c9: call 0x132cd 0x131cc: ljmp 0x9090:0x9090 0x131d1: nop
2018-12-25T12:00:49.681794779Z	60	PC: 13282 \| Create or truncate file
2018-12-25T12:00:50.289644117Z	64	PC: 1327b \| Write file or device (Write 68 bytes on handle 5)
2018-12-25T12:00:50.297768937Z	62	PC: 13298 \| Close file
2018-12-25T12:00:50.403860428Z	9	PC: 13b0c \| Display string (String= 'Warning!')
2018-12-25T12:00:50.408120936Z	9	PC: 13b53 \| Display string (String= ' strong crypto inside')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":30,"Second":16,"TimeBased":true,"OriginalID":7046,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:49.851287301Z	105	PC: 12d6b \| Get or set media id
2018-12-25T12:00:49.853382905Z	74	PC: 12d7b \| Reallocate memory
2018-12-25T12:00:49.855073814Z	74	PC: 12d84 \| Reallocate memory
2018-12-25T12:00:49.856420253Z	72	PC: 12d8c \| Allocate memory
2018-12-25T12:00:49.858532274Z	53	PC: 12db2 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:49.860492609Z	37	PC: 12dc4 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:00:49.861824745Z	44	PC: 1319a \| Get time 0x1319a: cmp cl, 0x1e 0x1319d: jne 0x131a7 0x1319f: cmp dh, 0xf 0x131a2: ja 0x131a7 0x131a4: call 0x13adb 0x131a7: pop ds 0x131a8: pop es 0x131a9: cmp byte ptr cs:[0], 0xcd 0x131af: je 0x131d5 0x131b1: mov ax, es 0x131b3: add ax, 0x10 0x131b6: add word ptr cs:[bp + 0x88f], ax 0x131bb: cli 0x131bc: add ax, word ptr cs:[bp + 0x891] 0x131c1: mov ss, ax 0x131c3: mov sp, word ptr cs:[bp + 0x893] 0x131c8: sti 0x131c9: call 0x132cd 0x131cc: ljmp 0x9090:0x9090 0x131d1: nop
2018-12-25T12:00:49.86484615Z	9	PC: 12a4b \| Display string (String= 'fake host')
2018-12-25T12:00:49.867393726Z	76	PC: 12a50 \| Terminate with return code (Return code = '0')