Sample viewer

vx.netlux.org/Virus.DOS.Grog.886

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:40:55.448390191Z	47	PC: 1315a \| Get disk transfer address
2018-12-17T22:40:55.450068336Z	26	PC: 1316b \| Set disk transfer address
2018-12-17T22:40:55.452739531Z	78	PC: 1318a \| Find first file
2018-12-17T22:40:55.459552049Z	53	PC: 13207 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:40:55.461058455Z	53	PC: 1320d \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:40:55.463657895Z	37	PC: 13218 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:40:55.465174725Z	37	PC: 13226 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:40:55.46650344Z	61	PC: 13237 \| Open file (Filename = '')
2018-12-17T22:40:55.487657136Z	63	PC: 13242 \| Read file or device (Read 24 bytes on handle 5)
2018-12-17T22:40:55.491069746Z	62	PC: 1327d \| Close file
2018-12-17T22:40:55.492867097Z	37	PC: 13284 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:40:55.49420309Z	37	PC: 1328b \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:40:55.495752228Z	79	PC: 1318a \| Find next file
2018-12-17T22:40:55.497633212Z	42	PC: 1319b \| Get date 0x1319b: cmp al, 1 0x1319d: jne 0x131aa 0x1319f: or dl, 0xfc 0x131a2: cmp dl, 0xff 0x131a5: jne 0x131aa 0x131a7: call 0x1340f 0x131aa: mov ds, word ptr [0x3fa] 0x131ae: mov dx, word ptr [0x3f8] 0x131b2: mov ah, 0x1a 0x131b4: int 0x21 0x131b6: cmp byte ptr cs:[0x3f7], 1 0x131bc: jne 0x131c0 0x131be: int 0x20 0x131c0: mov bx, ds 0x131c2: add bx, 0x10 0x131c5: add word ptr cs:[0x39a], bx 0x131ca: add word ptr cs:[0x392], bx 0x131cf: cli 0x131d0: mov ss, word ptr cs:[0x392] 0x131d5: mov sp, word ptr cs:[0x394]
2018-12-17T22:40:55.500247699Z	26	PC: 131b6 \| Set disk transfer address
2018-12-17T22:40:55.502557163Z	76	PC: 13007 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7098,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:51.144532847Z	47	PC: 1315a \| Get disk transfer address
2018-12-25T12:00:51.150570217Z	26	PC: 1316b \| Set disk transfer address
2018-12-25T12:00:51.151689025Z	78	PC: 1318a \| Find first file
2018-12-25T12:00:51.157763091Z	53	PC: 13207 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.163517317Z	53	PC: 1320d \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.16539006Z	37	PC: 13218 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.167728131Z	37	PC: 13226 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.170182141Z	61	PC: 13237 \| Open file (Filename = '')
2018-12-25T12:00:51.176826531Z	63	PC: 13242 \| Read file or device (Read 24 bytes on handle 5)
2018-12-25T12:00:51.179402102Z	62	PC: 1327d \| Close file
2018-12-25T12:00:51.182551318Z	37	PC: 13284 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.184120803Z	37	PC: 1328b \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.185132183Z	79	PC: 1318a \| Find next file (See above)
2018-12-25T12:00:51.188027939Z	42	PC: 1319b \| Get date 0x1319b: cmp al, 1 0x1319d: jne 0x131aa 0x1319f: or dl, 0xfc 0x131a2: cmp dl, 0xff 0x131a5: jne 0x131aa 0x131a7: call 0x1340f 0x131aa: mov ds, word ptr [0x3fa] 0x131ae: mov dx, word ptr [0x3f8] 0x131b2: mov ah, 0x1a 0x131b4: int 0x21 0x131b6: cmp byte ptr cs:[0x3f7], 1 0x131bc: jne 0x131c0 0x131be: int 0x20 0x131c0: mov bx, ds 0x131c2: add bx, 0x10 0x131c5: add word ptr cs:[0x39a], bx 0x131ca: add word ptr cs:[0x392], bx 0x131cf: cli 0x131d0: mov ss, word ptr cs:[0x392] 0x131d5: mov sp, word ptr cs:[0x394]
2018-12-25T12:00:51.193054087Z	26	PC: 131b6 \| Set disk transfer address
2018-12-25T12:00:51.194967325Z	76	PC: 13007 \| Terminate with return code (Return code = '0')

{"DateBased":true,"Day":7,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7098,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:51.203298566Z	47	PC: 1315a \| Get disk transfer address
2018-12-25T12:00:51.205587346Z	26	PC: 1316b \| Set disk transfer address
2018-12-25T12:00:51.207099339Z	78	PC: 1318a \| Find first file
2018-12-25T12:00:51.213256024Z	53	PC: 13207 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.214973932Z	53	PC: 1320d \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.221473503Z	37	PC: 13218 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.227660453Z	37	PC: 13226 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.228851344Z	61	PC: 13237 \| Open file (Filename = '')
2018-12-25T12:00:51.23604285Z	63	PC: 13242 \| Read file or device (Read 24 bytes on handle 5)
2018-12-25T12:00:51.239603816Z	62	PC: 1327d \| Close file
2018-12-25T12:00:51.241610817Z	37	PC: 13284 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.24399463Z	37	PC: 1328b \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.245402995Z	79	PC: 1318a \| Find next file (See above)
2018-12-25T12:00:51.248040143Z	42	PC: 1319b \| Get date 0x1319b: cmp al, 1 0x1319d: jne 0x131aa 0x1319f: or dl, 0xfc 0x131a2: cmp dl, 0xff 0x131a5: jne 0x131aa 0x131a7: call 0x1340f 0x131aa: mov ds, word ptr [0x3fa] 0x131ae: mov dx, word ptr [0x3f8] 0x131b2: mov ah, 0x1a 0x131b4: int 0x21 0x131b6: cmp byte ptr cs:[0x3f7], 1 0x131bc: jne 0x131c0 0x131be: int 0x20 0x131c0: mov bx, ds 0x131c2: add bx, 0x10 0x131c5: add word ptr cs:[0x39a], bx 0x131ca: add word ptr cs:[0x392], bx 0x131cf: cli 0x131d0: mov ss, word ptr cs:[0x392] 0x131d5: mov sp, word ptr cs:[0x394]

{"DateBased":true,"Day":14,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":7098,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:00:51.283120379Z	47	PC: 1315a \| Get disk transfer address
2018-12-25T12:00:51.284959524Z	26	PC: 1316b \| Set disk transfer address
2018-12-25T12:00:51.285886857Z	78	PC: 1318a \| Find first file
2018-12-25T12:00:51.290189264Z	53	PC: 13207 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.291790982Z	53	PC: 1320d \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.292947747Z	37	PC: 13218 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.294047609Z	37	PC: 13226 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.295529066Z	61	PC: 13237 \| Open file (Filename = '')
2018-12-25T12:00:51.299675894Z	63	PC: 13242 \| Read file or device (Read 24 bytes on handle 5)
2018-12-25T12:00:51.301433408Z	62	PC: 1327d \| Close file
2018-12-25T12:00:51.303137627Z	37	PC: 13284 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:00:51.304208171Z	37	PC: 1328b \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:00:51.305119628Z	79	PC: 1318a \| Find next file (See above)
2018-12-25T12:00:51.306907708Z	42	PC: 1319b \| Get date 0x1319b: cmp al, 1 0x1319d: jne 0x131aa 0x1319f: or dl, 0xfc 0x131a2: cmp dl, 0xff 0x131a5: jne 0x131aa 0x131a7: call 0x1340f 0x131aa: mov ds, word ptr [0x3fa] 0x131ae: mov dx, word ptr [0x3f8] 0x131b2: mov ah, 0x1a 0x131b4: int 0x21 0x131b6: cmp byte ptr cs:[0x3f7], 1 0x131bc: jne 0x131c0 0x131be: int 0x20 0x131c0: mov bx, ds 0x131c2: add bx, 0x10 0x131c5: add word ptr cs:[0x39a], bx 0x131ca: add word ptr cs:[0x392], bx 0x131cf: cli 0x131d0: mov ss, word ptr cs:[0x392] 0x131d5: mov sp, word ptr cs:[0x394]
2018-12-25T12:00:51.308759554Z	26	PC: 131b6 \| Set disk transfer address
2018-12-25T12:00:51.309620052Z	76	PC: 13007 \| Terminate with return code (Return code = '0')