Sample viewer

vx.netlux.org/Trojan.DOS.Smurf.8288

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:44:05.086354094Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.089360202Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:05.091085331Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.100827059Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.103376277Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.104844194Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:05.106302072Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:05.108336995Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:05.109821395Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:05.111168095Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:05.113675385Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:05.11526711Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:05.116899051Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:05.118401501Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:05.119840272Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:05.12112932Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:05.122380605Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.12412322Z 53 PC: 13b36 | Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:44:05.125457206Z 37 PC: 13b4b | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.127053781Z 37 PC: 13b53 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.128827023Z 37 PC: 13b5b | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.130218559Z 37 PC: 13b63 | Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.131861536Z 68 PC: 141f7 | I/O control for devices (Set for = '')
2018-12-17T22:44:05.160607276Z 37 PC: 13567 | Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.161851705Z 44 PC: 14093 | Get time 0x14093: mov word ptr [0x38], cx
0x14097: mov word ptr [0x3a], dx
0x1409b: retf
0x1409c: mov bx, sp
0x1409e: push ds
0x1409f: les di, ptr ss:[bx + 8]
0x140a3: lds si, ptr ss:[bx + 4]
0x140a7: cld
0x140a8: xor ax, ax
0x140aa: stosw word ptr es:[di], ax
0x140ab: mov ax, 0xd7b0
0x140ae: stosw word ptr es:[di], ax
0x140af: mov ax, 0x80
0x140b2: stosw word ptr es:[di], ax
0x140b3: xor ax, ax
0x140b5: stosw word ptr es:[di], ax
0x140b6: stosw word ptr es:[di], ax
0x140b7: stosw word ptr es:[di], ax
0x140b8: lea ax, word ptr [di + 0x74]
0x140bb: stosw word ptr es:[di], ax
2018-12-17T22:44:05.163604904Z 25 PC: 131f5 | Get default drive
2018-12-17T22:44:05.165313635Z 42 PC: 13223 | Get date 0x13223: xor ah, ah
0x13225: les di, ptr [bp + 6]
0x13228: stosw word ptr es:[di], ax
0x13229: mov al, dl
0x1322b: les di, ptr [bp + 0xa]
0x1322e: stosw word ptr es:[di], ax
0x1322f: mov al, dh
0x13231: les di, ptr [bp + 0xe]
0x13234: stosw word ptr es:[di], ax
0x13235: xchg ax, cx
0x13236: les di, ptr [bp + 0x12]
0x13239: stosw word ptr es:[di], ax
0x1323a: pop bp
0x1323b: retf 0x10
0x1323e: push bp
0x1323f: mov bp, sp
0x13241: mov cx, word ptr [bp + 0xa]
0x13244: mov dh, byte ptr [bp + 8]
0x13247: mov dl, byte ptr [bp + 6]
0x1324a: mov ah, 0x2b
2018-12-17T22:44:05.167159221Z 48 PC: 146f3 | Get DOS version
2018-12-17T22:44:05.168574202Z 26 PC: 1333b | Set disk transfer address
2018-12-17T22:44:05.181972276Z 78 PC: 13347 | Find first file
2018-12-17T22:44:05.189221727Z 26 PC: 1333b | Set disk transfer address
2018-12-17T22:44:05.191025009Z 78 PC: 13347 | Find first file
2018-12-17T22:44:05.197902862Z 14 PC: 147d9 | Set default drive (Drive = 'A')
2018-12-17T22:44:05.200979633Z 25 PC: 147dd | Get default drive
2018-12-17T22:44:05.202503038Z 59 PC: 14847 | Change current directory
2018-12-17T22:44:05.207144742Z 44 PC: 14093 | Get time 0x14093: mov word ptr [0x38], cx
0x14097: mov word ptr [0x3a], dx
0x1409b: retf
0x1409c: mov bx, sp
0x1409e: push ds
0x1409f: les di, ptr ss:[bx + 8]
0x140a3: lds si, ptr ss:[bx + 4]
0x140a7: cld
0x140a8: xor ax, ax
0x140aa: stosw word ptr es:[di], ax
0x140ab: mov ax, 0xd7b0
0x140ae: stosw word ptr es:[di], ax
0x140af: mov ax, 0x80
0x140b2: stosw word ptr es:[di], ax
0x140b3: xor ax, ax
0x140b5: stosw word ptr es:[di], ax
0x140b6: stosw word ptr es:[di], ax
0x140b7: stosw word ptr es:[di], ax
0x140b8: lea ax, word ptr [di + 0x74]
0x140bb: stosw word ptr es:[di], ax
2018-12-17T22:44:05.210411777Z 48 PC: 146f3 | Get DOS version
2018-12-17T22:44:05.211792689Z 61 PC: 14519 | Open file (Filename = 'A:\TEST.EXE')
2018-12-17T22:44:05.216246879Z 26 PC: 1333b | Set disk transfer address
2018-12-17T22:44:05.217933112Z 78 PC: 13347 | Find first file
2018-12-17T22:44:05.222100755Z 26 PC: 1335f | Set disk transfer address
2018-12-17T22:44:05.22328769Z 79 PC: 13364 | Find next file
2018-12-17T22:44:05.22584324Z 26 PC: 1333b | Set disk transfer address
2018-12-17T22:44:05.226829626Z 78 PC: 13347 | Find first file
2018-12-17T22:44:05.230970068Z 67 PC: 1329d | Get or set file attributes
2018-12-17T22:44:05.235920809Z 87 PC: 132de | Get or set file date and time
2018-12-17T22:44:05.238176754Z 67 PC: 132c4 | Get or set file attributes
2018-12-17T22:44:05.25671913Z 61 PC: 14519 | Open file (Filename = 'TEST.EXE')
2018-12-17T22:44:05.264325741Z 66 PC: 146b5 | Move file pointer
2018-12-17T22:44:05.266251646Z 66 PC: 146c3 | Move file pointer
2018-12-17T22:44:05.267802252Z 66 PC: 146d1 | Move file pointer
2018-12-17T22:44:05.269765223Z 66 PC: 146b5 | Move file pointer
2018-12-17T22:44:05.271997973Z 66 PC: 146c3 | Move file pointer
2018-12-17T22:44:05.273583879Z 66 PC: 146d1 | Move file pointer
2018-12-17T22:44:05.275326838Z 66 PC: 1464b | Move file pointer
2018-12-17T22:44:05.277506161Z 63 PC: 145ec | Read file or device (Read 1 bytes on handle 6)
2018-12-17T22:44:05.2857796Z 66 PC: 1464b | Move file pointer
2018-12-17T22:44:05.287492715Z 66 PC: 1464b | Move file pointer
2018-12-17T22:44:05.289803407Z 63 PC: 145ec | Read file or device (Read 8287 bytes on handle 5)
2018-12-17T22:44:05.299267659Z 14 PC: 147d9 | Set default drive (Drive = 'A')
2018-12-17T22:44:05.300925742Z 25 PC: 147dd | Get default drive
2018-12-17T22:44:05.302994551Z 59 PC: 14847 | Change current directory
2018-12-17T22:44:05.308100668Z 66 PC: 146b5 | Move file pointer
2018-12-17T22:44:05.310015582Z 66 PC: 146c3 | Move file pointer
2018-12-17T22:44:05.31221932Z 66 PC: 146d1 | Move file pointer
2018-12-17T22:44:05.313942042Z 66 PC: 1464b | Move file pointer
2018-12-17T22:44:05.315667131Z 63 PC: 145ec | Read file or device (Read 8287 bytes on handle 5)
2018-12-17T22:44:05.325500747Z 66 PC: 1464b | Move file pointer
2018-12-17T22:44:05.327244018Z 64 PC: 145ec | Write file or device (Write 8287 bytes on handle 5)
2018-12-17T22:44:05.337080983Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.339613281Z 37 PC: 133ab | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.340924124Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:05.342290051Z 37 PC: 133ab | Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:05.34457509Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.345983952Z 37 PC: 133ab | Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.347381566Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.349291388Z 37 PC: 133ab | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.350729333Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.352125319Z 37 PC: 133ab | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.353889793Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:05.355327182Z 37 PC: 133ab | Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:05.356633245Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:05.358510459Z 37 PC: 133ab | Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:05.360224147Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:05.361910856Z 37 PC: 133ab | Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:05.364621773Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:05.366361163Z 37 PC: 133ab | Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:05.368014701Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:05.370761031Z 37 PC: 133ab | Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:05.372577502Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:05.374227084Z 37 PC: 133ab | Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:05.376018925Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:05.378751512Z 37 PC: 133ab | Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:05.380416639Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:05.382204454Z 37 PC: 133ab | Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:05.384303544Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:05.386098403Z 37 PC: 133ab | Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:05.388057829Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:05.390342107Z 37 PC: 133ab | Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:05.392873404Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:05.395296381Z 37 PC: 133ab | Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:05.398565648Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.400564621Z 37 PC: 133ab | Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.403054343Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:44:05.410941349Z 37 PC: 133ab | Set interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:44:05.412718244Z 41 PC: 1342a | Parse filename
2018-12-17T22:44:05.414433084Z 41 PC: 13438 | Parse filename
2018-12-17T22:44:05.41648098Z 75 PC: 13443 | Execute program
2018-12-17T22:44:05.437652849Z 9 PC: 2162c | Display string (Could not find end pointer)
2018-12-17T22:44:05.444243563Z 76 PC: 21631 | Terminate with return code (Return code = '0')
2018-12-17T22:44:05.455236671Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.456448475Z 37 PC: 133ab | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.457470171Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:05.459181649Z 37 PC: 133ab | Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:05.4605429Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.462031411Z 37 PC: 133ab | Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.464052316Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.465388241Z 37 PC: 133ab | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.466725309Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.469697576Z 37 PC: 133ab | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.471213143Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:05.472628383Z 37 PC: 133ab | Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:05.474667551Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:05.475966909Z 37 PC: 133ab | Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:05.47726567Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:05.479233693Z 37 PC: 133ab | Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:05.480876971Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:05.482508224Z 37 PC: 133ab | Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:05.485047668Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:05.486654046Z 37 PC: 133ab | Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:05.488052895Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:05.490447482Z 37 PC: 133ab | Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:05.491828693Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:05.493281696Z 37 PC: 133ab | Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:05.495660086Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:05.497002086Z 37 PC: 133ab | Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:05.498320014Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:05.500185381Z 37 PC: 133ab | Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:05.501032579Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:05.50213982Z 37 PC: 133ab | Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:05.503995353Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:05.50528772Z 37 PC: 133ab | Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:05.507120054Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.509585258Z 37 PC: 133ab | Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.510815249Z 53 PC: 133a2 | Get interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:44:05.511948363Z 37 PC: 133ab | Set interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:44:05.514199672Z 66 PC: 1464b | Move file pointer
2018-12-17T22:44:05.515980132Z 64 PC: 145ec | Write file or device (Write 8287 bytes on handle 5)
2018-12-17T22:44:05.524614589Z 62 PC: 14569 | Close file
2018-12-17T22:44:05.534328027Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:44:05.535563482Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '2' AKA 'Character output')
2018-12-17T22:44:05.536632902Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '27' AKA 'Get allocation info for default drive')
2018-12-17T22:44:05.538582801Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:44:05.539969942Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:44:05.541330078Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '52' AKA 'Get InDOS flag pointer')
2018-12-17T22:44:05.543857456Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '53' AKA 'Get interrupt vector')
2018-12-17T22:44:05.545347454Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '54' AKA 'Get free disk space')
2018-12-17T22:44:05.546794825Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '55' AKA 'Get or set switch character')
2018-12-17T22:44:05.556232352Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '56' AKA 'Get or set country info')
2018-12-17T22:44:05.557540692Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '57' AKA 'Create subdirectory')
2018-12-17T22:44:05.558930851Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '58' AKA 'Remove subdirectory')
2018-12-17T22:44:05.561294849Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '59' AKA 'Change current directory')
2018-12-17T22:44:05.562853138Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '60' AKA 'Create or truncate file')
2018-12-17T22:44:05.564384646Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '61' AKA 'Open file')
2018-12-17T22:44:05.566390523Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '62' AKA 'Close file')
2018-12-17T22:44:05.567986569Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '63' AKA 'Read file or device')
2018-12-17T22:44:05.569989448Z 37 PC: 13c45 | Set interrupt vector (Interrupt = '117' AKA 'UNKNOWN!')
2018-12-17T22:44:05.572112086Z 76 PC: 13c84 | Terminate with return code (Return code = '0')