Sample viewer

vx.netlux.org/Virus.DOS.Rubbit.3285

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:48:09.033641032Z	48	PC: 13a2c \| Get DOS version
2018-12-17T22:48:09.035209374Z	82	PC: 13bba \| Get DOS internal pointers (SYSVARS)
2018-12-17T22:48:09.03838698Z	53	PC: 12c80 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:48:09.039692945Z	53	PC: 12c8c \| Get interrupt vector (Interrupt = '21' AKA 'Sequential write')
2018-12-17T22:48:09.040738416Z	53	PC: 12c98 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:48:09.042482798Z	37	PC: 12ca8 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:48:09.0439626Z	37	PC: 12caf \| Set interrupt vector (Interrupt = '21' AKA 'Sequential write')
2018-12-17T22:48:09.045422792Z	37	PC: 12cb6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-17T22:48:09.047582256Z	42	PC: 12cba \| Get date 0x12cba: cmp dx, 0x909 0x12cbe: jne 0x12cc5 0x12cc0: or byte ptr [0xcb], 2 0x12cc5: mov es, word ptr [0x4e] 0x12cc9: test byte ptr [0xcb], 4 0x12cce: jne 0x12cd3 0x12cd0: jmp 0x12bcc 0x12cd3: jmp 0x12b54 0x12cd6: mov ah, 0x52 0x12cd8: int 0x21 0x12cda: mov es, word ptr es:[bx - 2] 0x12cde: mov dl, byte ptr es:[0] 0x12ce3: cmp dl, 0x4d 0x12ce6: je 0x12ced 0x12ce8: cmp dl, 0x5a 0x12ceb: jne 0x12cfa 0x12ced: mov bx, es 0x12cef: mov ax, word ptr es:[3] 0x12cf3: add ax, bx 0x12cf5: inc ax
2018-12-17T22:48:09.050185722Z	74	PC: 12bea \| Reallocate memory
2018-12-17T22:48:09.052088247Z	53	PC: 12f45 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:48:09.055624505Z	37	PC: 12f55 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:48:09.057395303Z	61	PC: 12f66 \| Open file (Filename = '�Jp')
2018-12-17T22:48:09.065748879Z	62	PC: 136a1 \| Close file
2018-12-17T22:48:09.068778996Z	66	PC: 13147 \| Move file pointer
2018-12-17T22:48:09.070693772Z	63	PC: 13147 \| Read file or device (Read 6 bytes on handle 6)
2018-12-17T22:48:09.074179871Z	62	PC: 12f96 \| Close file

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9449,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:23:11.462473436Z	48	PC: 13a2c \| Get DOS version
2018-12-25T12:23:11.464193281Z	82	PC: 13bba \| Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:11.466304886Z	53	PC: 12c80 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:11.467446506Z	53	PC: 12c8c \| Get interrupt vector (Interrupt = '21' AKA 'Sequential write')
2018-12-25T12:23:11.469546188Z	53	PC: 12c98 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:23:11.470754563Z	37	PC: 12ca8 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:11.471949866Z	37	PC: 12caf \| Set interrupt vector (Interrupt = '21' AKA 'Sequential write')
2018-12-25T12:23:11.473185729Z	37	PC: 12cb6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:23:11.475669229Z	42	PC: 12cba \| Get date 0x12cba: cmp dx, 0x909 0x12cbe: jne 0x12cc5 0x12cc0: or byte ptr [0xcb], 2 0x12cc5: mov es, word ptr [0x4e] 0x12cc9: test byte ptr [0xcb], 4 0x12cce: jne 0x12cd3 0x12cd0: jmp 0x12bcc 0x12cd3: jmp 0x12b54 0x12cd6: mov ah, 0x52 0x12cd8: int 0x21 0x12cda: mov es, word ptr es:[bx - 2] 0x12cde: mov dl, byte ptr es:[0] 0x12ce3: cmp dl, 0x4d 0x12ce6: je 0x12ced 0x12ce8: cmp dl, 0x5a 0x12ceb: jne 0x12cfa 0x12ced: mov bx, es 0x12cef: mov ax, word ptr es:[3] 0x12cf3: add ax, bx 0x12cf5: inc ax
2018-12-25T12:23:11.478287725Z	74	PC: 12bea \| Reallocate memory
2018-12-25T12:23:11.480142772Z	53	PC: 12f45 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:11.482611562Z	37	PC: 12f55 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:11.484438351Z	61	PC: 12f66 \| Open file (Filename = '�Jp')
2018-12-25T12:23:11.492572377Z	62	PC: 136a1 \| Close file
2018-12-25T12:23:11.496085073Z	66	PC: 13147 \| Move file pointer
2018-12-25T12:23:11.503355402Z	63	PC: 13147 \| Read file or device (See above)
2018-12-25T12:23:11.506828984Z	62	PC: 12f96 \| Close file

{"DateBased":true,"Day":9,"Month":9,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9449,"SideJobID":0}

.

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:23:11.508587034Z	48	PC: 13a2c \| Get DOS version
2018-12-25T12:23:11.514057964Z	82	PC: 13bba \| Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:11.517048879Z	53	PC: 12c80 \| Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:11.518388258Z	53	PC: 12c8c \| Get interrupt vector (Interrupt = '21' AKA 'Sequential write')
2018-12-25T12:23:11.52080235Z	53	PC: 12c98 \| Get interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:23:11.532996171Z	37	PC: 12ca8 \| Set interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:11.534808008Z	37	PC: 12caf \| Set interrupt vector (Interrupt = '21' AKA 'Sequential write')
2018-12-25T12:23:11.536595057Z	37	PC: 12cb6 \| Set interrupt vector (Interrupt = '19' AKA 'Delete file')
2018-12-25T12:23:11.539210529Z	42	PC: 12cba \| Get date 0x12cba: cmp dx, 0x909 0x12cbe: jne 0x12cc5 0x12cc0: or byte ptr [0xcb], 2 0x12cc5: mov es, word ptr [0x4e] 0x12cc9: test byte ptr [0xcb], 4 0x12cce: jne 0x12cd3 0x12cd0: jmp 0x12bcc 0x12cd3: jmp 0x12b54 0x12cd6: mov ah, 0x52 0x12cd8: int 0x21 0x12cda: mov es, word ptr es:[bx - 2] 0x12cde: mov dl, byte ptr es:[0] 0x12ce3: cmp dl, 0x4d 0x12ce6: je 0x12ced 0x12ce8: cmp dl, 0x5a 0x12ceb: jne 0x12cfa 0x12ced: mov bx, es 0x12cef: mov ax, word ptr es:[3] 0x12cf3: add ax, bx 0x12cf5: inc ax
2018-12-25T12:23:11.542302119Z	74	PC: 12bea \| Reallocate memory
2018-12-25T12:23:11.544462082Z	53	PC: 12f45 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:11.554909493Z	37	PC: 12f55 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:11.556829788Z	61	PC: 12f66 \| Open file (Filename = '�Jp')
2018-12-25T12:23:11.565002138Z	62	PC: 136a1 \| Close file
2018-12-25T12:23:11.569655237Z	66	PC: 13147 \| Move file pointer
2018-12-25T12:23:11.571570449Z	63	PC: 13147 \| Read file or device (See above)
2018-12-25T12:23:11.575310016Z	62	PC: 12f96 \| Close file