Sample viewer

vx.netlux.org/Virus.DOS.VCode.2540

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:48:04.131584533Z	42	PC: 12f75 \| Get date 0x12f75: cmp dh, 0xc 0x12f78: jne 0x12fe6 0x12f7a: mov byte ptr cs:[0x24], 2 0x12f80: mov al, byte ptr [0x24] 0x12f83: mov cx, 0x64 0x12f86: xor dx, dx 0x12f88: inc dx 0x12f89: mov bx, 0 0x12f8c: int 0x25 0x12f8e: add sp, 2 0x12f91: clc 0x12f92: mov word ptr [0x3bf], ds 0x12f96: mov cx, 0xffff 0x12f99: mov bx, 0x3b7 0x12f9c: int 0x25 0x12f9e: add sp, 2 0x12fa1: clc 0x12fa2: mov ah, 0xd 0x12fa4: mov dl, byte ptr cs:[0x24] 0x12fa9: sub dl, 2

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9421,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:23:08.112995256Z	42	PC: 12f75 \| Get date 0x12f75: cmp dh, 0xc 0x12f78: jne 0x12fe6 0x12f7a: mov byte ptr cs:[0x24], 2 0x12f80: mov al, byte ptr [0x24] 0x12f83: mov cx, 0x64 0x12f86: xor dx, dx 0x12f88: inc dx 0x12f89: mov bx, 0 0x12f8c: int 0x25 0x12f8e: add sp, 2 0x12f91: clc 0x12f92: mov word ptr [0x3bf], ds 0x12f96: mov cx, 0xffff 0x12f99: mov bx, 0x3b7 0x12f9c: int 0x25 0x12f9e: add sp, 2 0x12fa1: clc 0x12fa2: mov ah, 0xd 0x12fa4: mov dl, byte ptr cs:[0x24] 0x12fa9: sub dl, 2
2018-12-25T12:23:08.115909908Z	42	PC: 12d02 \| Get date 0x12d02: mov byte ptr [0x2b], al 0x12d05: mov byte ptr cs:[0x2e], 0 0x12d0b: mov ah, 0x2f 0x12d0d: int 0x21 0x12d0f: mov word ptr [0x27], bx 0x12d13: mov word ptr [0x29], es 0x12d17: mov ax, cs 0x12d19: mov es, ax 0x12d1b: mov ah, 0x1a 0x12d1d: mov dx, 0x921 0x12d20: int 0x21 0x12d22: mov ax, 0x3524 0x12d25: int 0x21 0x12d27: mov word ptr [0x1c], bx 0x12d2b: mov word ptr [0x1e], es 0x12d2f: mov ax, cs 0x12d31: mov es, ax 0x12d33: mov dx, 0x6a6 0x12d36: mov ax, 0x2524 0x12d39: int 0x21
2018-12-25T12:23:08.118279515Z	47	PC: 12d0f \| Get disk transfer address
2018-12-25T12:23:08.119644618Z	26	PC: 12d22 \| Set disk transfer address
2018-12-25T12:23:08.121301211Z	53	PC: 12d27 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:08.122455555Z	37	PC: 12d3b \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:08.123638139Z	44	PC: 1311f \| Get time 0x1311f: xor ax, ax 0x13121: add al, ch 0x13123: xor ch, ch 0x13125: add ax, cx 0x13127: xchg dh, dl 0x13129: mov cx, dx 0x1312b: xor ch, ch 0x1312d: add ax, cx 0x1312f: xchg dh, dl 0x13131: mov cx, dx 0x13133: xor ch, ch 0x13135: mul cx 0x13137: pop bp 0x13138: mov cx, bp 0x1313a: div cx 0x1313c: mov bp, dx 0x1313e: pop ds 0x1313f: pop es 0x13140: pop di 0x13141: pop si
2018-12-25T12:23:08.125812357Z	25	PC: 12e59 \| Get default drive
2018-12-25T12:23:08.126722038Z	54	PC: 12e64 \| Get free disk space
2018-12-25T12:23:08.132342246Z	78	PC: 130d2 \| Find first file
2018-12-25T12:23:08.138666964Z	79	PC: 130fa \| Find next file
2018-12-25T12:23:08.140981723Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.143341592Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.14605556Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.149009651Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.151753714Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.15448794Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.157147822Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.159471451Z	79	PC: 130fa \| Find next file (See above)
2018-12-25T12:23:08.161696991Z	44	PC: 1311f \| Get time (See above)
2018-12-25T12:23:08.164042023Z	44	PC: 12db2 \| Get time 0x12db2: mov byte ptr [0x2c], dh 0x12db6: mov al, byte ptr cs:[0x24] 0x12dba: mov ah, byte ptr cs:[0x2d] 0x12dbf: call 0x13148 0x12dc2: jae 0x12ded 0x12dc4: mov al, byte ptr cs:[0x2e] 0x12dc8: and al, 2 0x12dca: cmp al, 2 0x12dcc: je 0x12ded 0x12dce: mov al, byte ptr cs:[0x24] 0x12dd2: mov ah, 0 0x12dd4: call 0x13148 0x12dd7: jae 0x12ded 0x12dd9: mov al, byte ptr cs:[0x24] 0x12ddd: mov ah, 1 0x12ddf: call 0x13148 0x12de2: jae 0x12ded 0x12de4: mov al, byte ptr cs:[0x24] 0x12de8: mov ah, 2 0x12dea: call 0x13148
2018-12-25T12:23:08.166383488Z	78	PC: 13268 \| Find first file
2018-12-25T12:23:08.17255949Z	44	PC: 13023 \| Get time 0x13023: mov dl, byte ptr cs:[0x2c] 0x13028: mov ax, dx 0x1302a: neg al 0x1302c: add ah, al 0x1302e: test ah, 0x80 0x13031: je 0x13036 0x13033: add dh, 0x3c 0x13036: sub dh, dl 0x13038: cmp dh, byte ptr [0x2f] 0x1303c: jge 0x13042 0x1303e: clc 0x1303f: jmp 0x13043 0x13041: nop 0x13042: stc 0x13043: pop ds 0x13044: pop es 0x13045: pop di 0x13046: pop si 0x13047: pop dx 0x13048: pop cx
2018-12-25T12:23:08.175248641Z	67	PC: 1330a \| Get or set file attributes
2018-12-25T12:23:08.178924866Z	61	PC: 13318 \| Open file (Filename = 'A:\TEST.EXE')
2018-12-25T12:23:08.184956503Z	87	PC: 13325 \| Get or set file date and time
2018-12-25T12:23:08.186636388Z	66	PC: 1333f \| Move file pointer
2018-12-25T12:23:08.187802205Z	63	PC: 1334f \| Read file or device (Read 4 bytes on handle 5)
2018-12-25T12:23:08.190421074Z	87	PC: 13490 \| Get or set file date and time
2018-12-25T12:23:08.192262956Z	62	PC: 13494 \| Close file
2018-12-25T12:23:08.204306102Z	67	PC: 134a3 \| Get or set file attributes
2018-12-25T12:23:08.214148125Z	78	PC: 131c9 \| Find first file
2018-12-25T12:23:08.220887134Z	79	PC: 131d2 \| Find next file
2018-12-25T12:23:08.223232171Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.225562795Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.228514127Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.230892516Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.233332158Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.236092995Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.237674715Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.239415785Z	79	PC: 131d2 \| Find next file (See above)
2018-12-25T12:23:08.242189339Z	37	PC: 12dfe \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:08.243897979Z	26	PC: 12e07 \| Set disk transfer address
2018-12-25T12:23:08.244883821Z	76	PC: 12aa4 \| Terminate with return code (Return code = '164')

{"DateBased":true,"Day":1,"Month":12,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9421,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:23:08.319290667Z	42	PC: 12f75 \| Get date 0x12f75: cmp dh, 0xc 0x12f78: jne 0x12fe6 0x12f7a: mov byte ptr cs:[0x24], 2 0x12f80: mov al, byte ptr [0x24] 0x12f83: mov cx, 0x64 0x12f86: xor dx, dx 0x12f88: inc dx 0x12f89: mov bx, 0 0x12f8c: int 0x25 0x12f8e: add sp, 2 0x12f91: clc 0x12f92: mov word ptr [0x3bf], ds 0x12f96: mov cx, 0xffff 0x12f99: mov bx, 0x3b7 0x12f9c: int 0x25 0x12f9e: add sp, 2 0x12fa1: clc 0x12fa2: mov ah, 0xd 0x12fa4: mov dl, byte ptr cs:[0x24] 0x12fa9: sub dl, 2