Sample viewer

vx.netlux.org/Virus.DOS.NightFall.4519

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T21:58:13.993747025Z	53	PC: 13be4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T21:58:13.995837687Z	53	PC: 13be4 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T21:58:13.997035531Z	53	PC: 13be4 \| Get interrupt vector (Interrupt = '42' AKA 'Get date')
2018-12-17T21:58:13.999137533Z	88	PC: 13ab7 \| case 0xGet or set allocation strateg:
2018-12-17T21:58:14.001670234Z	88	PC: 13ac2 \| case 0xGet or set allocation strateg:
2018-12-17T21:58:14.002752298Z	88	PC: 13ac7 \| case 0xGet or set allocation strateg:
2018-12-17T21:58:14.00383724Z	88	PC: 13ad1 \| case 0xGet or set allocation strateg:
2018-12-17T21:58:14.005833651Z	88	PC: 13b11 \| case 0xGet or set allocation strateg:
2018-12-17T21:58:14.007538693Z	88	PC: 13b15 \| case 0xGet or set allocation strateg:
2018-12-17T21:58:14.008934989Z	98	PC: 13b23 \| Get current PSP
2018-12-17T21:58:14.010684407Z	74	PC: 13b2c \| Reallocate memory
2018-12-17T21:58:14.012203Z	74	PC: 13b39 \| Reallocate memory
2018-12-17T21:58:14.013499099Z	42	PC: 13b61 \| Get date 0x13b61: mov al, 0xc3 0x13b63: cmp cl, 0xca 0x13b66: jb 0x13b71 0x13b68: ja 0x13b6f 0x13b6a: cmp dh, 6 0x13b6d: jb 0x13b71 0x13b6f: mov al, 0x90 0x13b71: mov byte ptr [si + 0x4cf], al 0x13b75: mov cx, 0x11a7 0x13b78: push cs 0x13b79: lea ax, word ptr [si + 0x73] 0x13b7c: push ax 0x13b7d: push es 0x13b7e: push 0x20b 0x13b81: rep movsb byte ptr es:[di], byte ptr [si] 0x13b83: retf 0x13b84: push si 0x13b85: mov ds, di 0x13b87: cmp byte ptr [0x4e0], 0xea 0x13b8c: jne 0x13b9d
2018-12-17T21:58:14.016467862Z	82	PC: 9ebee \| Get DOS internal pointers (SYSVARS)
2018-12-17T21:58:14.017731535Z	98	PC: 13a57 \| Get current PSP
2018-12-17T21:58:14.018688648Z	9	PC: 13908 \| Display string (String= 'Goat file (COM/b...). Size=00000FA0h/0000004000d bytes. ')
2018-12-17T21:58:14.024386238Z	48	PC: 13911 \| Get DOS version
2018-12-17T21:58:14.025574263Z	61	PC: 139de \| Open file (Filename = '')
2018-12-17T21:58:14.032216035Z	93	PC: 13980 \| File sharing functions
2018-12-17T21:58:14.034874539Z	9	PC: 13908 \| Display string (String= 'Size change=11DFh/04575d. ')
2018-12-17T21:58:14.038748856Z	76	PC: 13965 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":905,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:03.471070813Z	53	PC: 13be4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:42:03.472513529Z	53	PC: 13be4 \| Get interrupt vector (See above)
2018-12-25T11:42:03.474394579Z	53	PC: 13be4 \| Get interrupt vector (See above)
2018-12-25T11:42:03.475663982Z	88	PC: 13ab7 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.476786597Z	88	PC: 13ac2 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.478661753Z	88	PC: 13ac7 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.479792553Z	88	PC: 13ad1 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.48151199Z	88	PC: 13b11 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.48380787Z	88	PC: 13b15 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.485253858Z	98	PC: 13b23 \| Get current PSP
2018-12-25T11:42:03.486302348Z	74	PC: 13b2c \| Reallocate memory
2018-12-25T11:42:03.488938041Z	74	PC: 13b39 \| Reallocate memory
2018-12-25T11:42:03.490573765Z	42	PC: 13b61 \| Get date 0x13b61: mov al, 0xc3 0x13b63: cmp cl, 0xca 0x13b66: jb 0x13b71 0x13b68: ja 0x13b6f 0x13b6a: cmp dh, 6 0x13b6d: jb 0x13b71 0x13b6f: mov al, 0x90 0x13b71: mov byte ptr [si + 0x4cf], al 0x13b75: mov cx, 0x11a7 0x13b78: push cs 0x13b79: lea ax, word ptr [si + 0x73] 0x13b7c: push ax 0x13b7d: push es 0x13b7e: push 0x20b 0x13b81: rep movsb byte ptr es:[di], byte ptr [si] 0x13b83: retf 0x13b84: push si 0x13b85: mov ds, di 0x13b87: cmp byte ptr [0x4e0], 0xea 0x13b8c: jne 0x13b9d
2018-12-25T11:42:03.493107961Z	82	PC: 9ebee \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:42:03.495773087Z	98	PC: 13a57 \| Get current PSP
2018-12-25T11:42:03.496820903Z	9	PC: 13908 \| Display string (String= 'Goat file (COM/b...). Size=00000FA0h/0000004000d bytes. ')
2018-12-25T11:42:03.50241631Z	48	PC: 13911 \| Get DOS version
2018-12-25T11:42:03.504566048Z	61	PC: 139de \| Open file (Filename = '')
2018-12-25T11:42:03.511594043Z	93	PC: 13980 \| File sharing functions
2018-12-25T11:42:03.51369339Z	9	PC: 13908 \| Display string (See above)
2018-12-25T11:42:03.517942596Z	76	PC: 13965 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1994,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":905,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:03.508111518Z	53	PC: 13be4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:42:03.511342006Z	53	PC: 13be4 \| Get interrupt vector (See above)
2018-12-25T11:42:03.512896786Z	53	PC: 13be4 \| Get interrupt vector (See above)
2018-12-25T11:42:03.514550728Z	88	PC: 13ab7 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.51635876Z	88	PC: 13ac2 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.51881506Z	88	PC: 13ac7 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.52041165Z	88	PC: 13ad1 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.522400133Z	88	PC: 13b11 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.524881512Z	88	PC: 13b15 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.52609617Z	98	PC: 13b23 \| Get current PSP
2018-12-25T11:42:03.527193613Z	74	PC: 13b2c \| Reallocate memory
2018-12-25T11:42:03.530127662Z	74	PC: 13b39 \| Reallocate memory
2018-12-25T11:42:03.532652693Z	42	PC: 13b61 \| Get date 0x13b61: mov al, 0xc3 0x13b63: cmp cl, 0xca 0x13b66: jb 0x13b71 0x13b68: ja 0x13b6f 0x13b6a: cmp dh, 6 0x13b6d: jb 0x13b71 0x13b6f: mov al, 0x90 0x13b71: mov byte ptr [si + 0x4cf], al 0x13b75: mov cx, 0x11a7 0x13b78: push cs 0x13b79: lea ax, word ptr [si + 0x73] 0x13b7c: push ax 0x13b7d: push es 0x13b7e: push 0x20b 0x13b81: rep movsb byte ptr es:[di], byte ptr [si] 0x13b83: retf 0x13b84: push si 0x13b85: mov ds, di 0x13b87: cmp byte ptr [0x4e0], 0xea 0x13b8c: jne 0x13b9d
2018-12-25T11:42:03.535208605Z	82	PC: 9ebee \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:42:03.543559518Z	98	PC: 13a57 \| Get current PSP
2018-12-25T11:42:03.544712801Z	9	PC: 13908 \| Display string (String= 'Goat file (COM/b...). Size=00000FA0h/0000004000d bytes. ')
2018-12-25T11:42:03.550553632Z	48	PC: 13911 \| Get DOS version
2018-12-25T11:42:03.552764404Z	61	PC: 139de \| Open file (Filename = '')
2018-12-25T11:42:03.560317906Z	93	PC: 13980 \| File sharing functions
2018-12-25T11:42:03.56314689Z	9	PC: 13908 \| Display string (See above)
2018-12-25T11:42:03.569808157Z	76	PC: 13965 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":6,"Year":1994,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":905,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:03.428488983Z	64	PC: 0 \| Write file or device (Write 2 bytes on handle 1)
2018-12-25T11:42:03.43492102Z	41	PC: 94fae \| Parse filename
2018-12-25T11:42:03.444357904Z	41	PC: 9502f \| Parse filename
2018-12-25T11:42:03.446476961Z	41	PC: 9504c \| Parse filename
2018-12-25T11:42:03.448693482Z	26	PC: 984f7 \| Set disk transfer address
2018-12-25T11:42:03.451006372Z	71	PC: 986f3 \| Get current directory
2018-12-25T11:42:03.453388374Z	78	PC: 986fe \| Find first file
2018-12-25T11:42:03.46018315Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T11:42:03.463086861Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T11:42:03.473775885Z	64	PC: 9a848 \| Write file or device (Write 26 bytes on handle 2)
2018-12-25T11:42:03.478423983Z	37	PC: 123c4 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-25T11:42:03.48082645Z	37	PC: 123cb \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T11:42:03.482949999Z	37	PC: 123d2 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T11:42:03.484679551Z	62	PC: 122ab \| Close file
2018-12-25T11:42:03.486561669Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.488156411Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.489617999Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.49168415Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.493112443Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.494298773Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.496298272Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.497577746Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.498901243Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.50231739Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.503765523Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.505252259Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.506649829Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.508591432Z	62	PC: 122ab \| Close file (See above)
2018-12-25T11:42:03.51064316Z	99	PC: 9a5d7 \| Get DBCS lead byte table pointer
2018-12-25T11:42:03.511655374Z	56	PC: 94df9 \| Get or set country info
2018-12-25T11:42:03.513659324Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:42:03.517969941Z	25	PC: 94e62 \| Get default drive
2018-12-25T11:42:03.519328255Z	71	PC: 970dd \| Get current directory
2018-12-25T11:42:03.523744421Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:42:03.52582128Z	2	PC: 970b2 \| Character output (Char = '3e')
2018-12-25T11:42:03.527246859Z	93	PC: 94f20 \| File sharing functions
2018-12-25T11:42:03.529080786Z	93	PC: 94f27 \| File sharing functions
2018-12-25T11:42:03.538179091Z	10	PC: 94f39 \| Buffered keyboard input
2018-12-25T11:42:18.475675366Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T11:42:19.829291469Z	0	PC: 0 \| Program terminate (See above)
2018-12-25T11:42:19.931495011Z	64	PC: 9a848 \| Write file or device (See above)
2018-12-25T11:42:19.937409591Z	41	PC: 94fae \| Parse filename (See above)
2018-12-25T11:42:19.939097448Z	41	PC: 9502f \| Parse filename (See above)
2018-12-25T11:42:19.94047188Z	41	PC: 9504c \| Parse filename (See above)
2018-12-25T11:42:19.944881529Z	26	PC: 984f7 \| Set disk transfer address (See above)
2018-12-25T11:42:19.946414535Z	71	PC: 986f3 \| Get current directory (See above)
2018-12-25T11:42:19.954241793Z	78	PC: 986fe \| Find first file (See above)
2018-12-25T11:42:19.964383252Z	71	PC: 9856c \| Get current directory
2018-12-25T11:42:19.96766946Z	73	PC: 97c09 \| Release memory
2018-12-25T11:42:19.96928353Z	75	PC: 11821 \| Execute program
2018-12-25T11:42:19.98324609Z	9	PC: 12a47 \| Display string (String= 'Hello, World! ')
2018-12-25T11:42:19.987288021Z	76	PC: 12a4b \| Terminate with return code (Return code = '36')

{"DateBased":true,"Day":1,"Month":1,"Year":1995,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":905,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T11:42:03.599308616Z	53	PC: 13be4 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T11:42:03.601633498Z	53	PC: 13be4 \| Get interrupt vector (See above)
2018-12-25T11:42:03.603019909Z	53	PC: 13be4 \| Get interrupt vector (See above)
2018-12-25T11:42:03.604385707Z	88	PC: 13ab7 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.606877989Z	88	PC: 13ac2 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.608395049Z	88	PC: 13ac7 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.609609225Z	88	PC: 13ad1 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.612276503Z	88	PC: 13b11 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.626515772Z	88	PC: 13b15 \| case 0xGet or set allocation strateg:
2018-12-25T11:42:03.62869365Z	98	PC: 13b23 \| Get current PSP
2018-12-25T11:42:03.629987957Z	74	PC: 13b2c \| Reallocate memory
2018-12-25T11:42:03.631820024Z	74	PC: 13b39 \| Reallocate memory
2018-12-25T11:42:03.634139586Z	42	PC: 13b61 \| Get date 0x13b61: mov al, 0xc3 0x13b63: cmp cl, 0xca 0x13b66: jb 0x13b71 0x13b68: ja 0x13b6f 0x13b6a: cmp dh, 6 0x13b6d: jb 0x13b71 0x13b6f: mov al, 0x90 0x13b71: mov byte ptr [si + 0x4cf], al 0x13b75: mov cx, 0x11a7 0x13b78: push cs 0x13b79: lea ax, word ptr [si + 0x73] 0x13b7c: push ax 0x13b7d: push es 0x13b7e: push 0x20b 0x13b81: rep movsb byte ptr es:[di], byte ptr [si] 0x13b83: retf 0x13b84: push si 0x13b85: mov ds, di 0x13b87: cmp byte ptr [0x4e0], 0xea 0x13b8c: jne 0x13b9d
2018-12-25T11:42:03.639357262Z	82	PC: 9ebee \| Get DOS internal pointers (SYSVARS)
2018-12-25T11:42:03.641834922Z	98	PC: 13a57 \| Get current PSP
2018-12-25T11:42:03.642814412Z	9	PC: 13908 \| Display string (String= 'Goat file (COM/b...). Size=00000FA0h/0000004000d bytes. ')
2018-12-25T11:42:03.648073682Z	48	PC: 13911 \| Get DOS version
2018-12-25T11:42:03.650111693Z	61	PC: 139de \| Open file (Filename = '')
2018-12-25T11:42:03.657154917Z	93	PC: 13980 \| File sharing functions
2018-12-25T11:42:03.658996871Z	9	PC: 13908 \| Display string (See above)
2018-12-25T11:42:03.66368588Z	76	PC: 13965 \| Terminate with return code (Return code = '1')