Sample viewer

vx.netlux.org/Virus.DOS.Grog.757

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:41:28.617494969Z	47	PC: 1319f \| Get disk transfer address
2018-12-17T22:41:28.619592167Z	26	PC: 131ae \| Set disk transfer address
2018-12-17T22:41:28.620641065Z	78	PC: 131cf \| Find first file
2018-12-17T22:41:28.626397361Z	53	PC: 13259 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:41:28.6282504Z	53	PC: 1325f \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:41:28.629694092Z	37	PC: 1326a \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:41:28.630952142Z	37	PC: 1327a \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:41:28.632211276Z	61	PC: 13282 \| Open file (Filename = 'TEST.EXE')
2018-12-17T22:41:28.639455263Z	63	PC: 1328d \| Read file or device (Read 24 bytes on handle 5)
2018-12-17T22:41:28.642345651Z	62	PC: 132c8 \| Close file
2018-12-17T22:41:28.644839229Z	37	PC: 132cf \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:41:28.646618592Z	37	PC: 132d6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:41:28.647637357Z	79	PC: 131cf \| Find next file
2018-12-17T22:41:28.649202083Z	44	PC: 131e0 \| Get time 0x131e0: cmp cx, 0x715 0x131e4: jne 0x131fc 0x131e6: mov es, word ptr [0x3f0] 0x131ea: push es 0x131eb: mov dx, 0x175 0x131ee: push dx 0x131ef: mov cx, 0x89 0x131f2: mov si, 0x100 0x131f5: mov di, si 0x131f7: rep movsb byte ptr es:[di], byte ptr [si] 0x131f9: push es 0x131fa: pop ds 0x131fb: retf 0x131fc: mov ds, word ptr [0x3f0] 0x13200: mov dx, word ptr [0x3ee] 0x13204: mov ah, 0x1a 0x13206: int 0x21 0x13208: cmp byte ptr cs:[0x3ed], 1 0x1320e: jne 0x13212 0x13210: int 0x20
2018-12-17T22:41:28.651111286Z	26	PC: 13208 \| Set disk transfer address
2018-12-17T22:41:28.652081379Z	76	PC: 13007 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":7213,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:01:09.108497528Z	47	PC: 1319f \| Get disk transfer address
2018-12-25T12:01:09.110001559Z	26	PC: 131ae \| Set disk transfer address
2018-12-25T12:01:09.110938924Z	78	PC: 131cf \| Find first file
2018-12-25T12:01:09.114631893Z	53	PC: 13259 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:01:09.115937739Z	53	PC: 1325f \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:01:09.117019174Z	37	PC: 1326a \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:01:09.118338746Z	37	PC: 1327a \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:01:09.119622241Z	61	PC: 13282 \| Open file (Filename = 'TEST.EXE')
2018-12-25T12:01:09.126726136Z	63	PC: 1328d \| Read file or device (Read 24 bytes on handle 5)
2018-12-25T12:01:09.1290657Z	62	PC: 132c8 \| Close file
2018-12-25T12:01:09.13092226Z	37	PC: 132cf \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:01:09.132185313Z	37	PC: 132d6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:01:09.133112373Z	79	PC: 131cf \| Find next file (See above)
2018-12-25T12:01:09.135289283Z	44	PC: 131e0 \| Get time 0x131e0: cmp cx, 0x715 0x131e4: jne 0x131fc 0x131e6: mov es, word ptr [0x3f0] 0x131ea: push es 0x131eb: mov dx, 0x175 0x131ee: push dx 0x131ef: mov cx, 0x89 0x131f2: mov si, 0x100 0x131f5: mov di, si 0x131f7: rep movsb byte ptr es:[di], byte ptr [si] 0x131f9: push es 0x131fa: pop ds 0x131fb: retf 0x131fc: mov ds, word ptr [0x3f0] 0x13200: mov dx, word ptr [0x3ee] 0x13204: mov ah, 0x1a 0x13206: int 0x21 0x13208: cmp byte ptr cs:[0x3ed], 1 0x1320e: jne 0x13212 0x13210: int 0x20
2018-12-25T12:01:09.137825554Z	26	PC: 13208 \| Set disk transfer address
2018-12-25T12:01:09.138882921Z	76	PC: 13007 \| Terminate with return code (Return code = '0')

{"DateBased":false,"Day":0,"Month":0,"Year":0,"Hour":7,"Min":21,"Second":0,"TimeBased":true,"OriginalID":7213,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:01:09.20844048Z	47	PC: 1319f \| Get disk transfer address
2018-12-25T12:01:09.209821656Z	26	PC: 131ae \| Set disk transfer address
2018-12-25T12:01:09.211211609Z	78	PC: 131cf \| Find first file
2018-12-25T12:01:09.217714996Z	53	PC: 13259 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:01:09.218860038Z	53	PC: 1325f \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:01:09.220657109Z	37	PC: 1326a \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:01:09.222097519Z	37	PC: 1327a \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:01:09.22319244Z	61	PC: 13282 \| Open file (Filename = 'TEST.EXE')
2018-12-25T12:01:09.230754729Z	63	PC: 1328d \| Read file or device (Read 24 bytes on handle 5)
2018-12-25T12:01:09.23329057Z	62	PC: 132c8 \| Close file
2018-12-25T12:01:09.235881095Z	37	PC: 132cf \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:01:09.237646797Z	37	PC: 132d6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:01:09.239281308Z	79	PC: 131cf \| Find next file (See above)
2018-12-25T12:01:09.241964256Z	44	PC: 131e0 \| Get time 0x131e0: cmp cx, 0x715 0x131e4: jne 0x131fc 0x131e6: mov es, word ptr [0x3f0] 0x131ea: push es 0x131eb: mov dx, 0x175 0x131ee: push dx 0x131ef: mov cx, 0x89 0x131f2: mov si, 0x100 0x131f5: mov di, si 0x131f7: rep movsb byte ptr es:[di], byte ptr [si] 0x131f9: push es 0x131fa: pop ds 0x131fb: retf 0x131fc: mov ds, word ptr [0x3f0] 0x13200: mov dx, word ptr [0x3ee] 0x13204: mov ah, 0x1a 0x13206: int 0x21 0x13208: cmp byte ptr cs:[0x3ed], 1 0x1320e: jne 0x13212 0x13210: int 0x20
2018-12-25T12:01:09.244660004Z	37	PC: 12abd \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-25T12:01:09.24585307Z	9	PC: 12ac4 \| Display string (String= ' SWAY (C) '93 by GROG - Italy ')
2018-12-25T12:01:09.251616112Z	49	PC: 12ac9 \| Terminate and stay resident (Return code = '0' \| Memory size = '22')