Malware Sample analysis, MS-DOS

[Nexusburst]

Analyzing a MS-DOS malware (Possibly). Is it possible if I can get more information on this malware as I have not been able to decipher the actual effects and features of the malware ? Findings: Not a PE file, nor an executable or DLL and possibly some form of cascade virus.

Info:  will be marked by windows defender as a Trojan, Unpack the malware in a sandbox to carry out testings, recommended to NOT unpack in your actual systems.

MS-DOS_Malware.zip

Edited August 18, 2022 by Nexusburst

[kao]

That is COM file, the very common file format back in the old DOS days.  It doesn't have any headers, execution starts from the very beginning of file.

It really is infected with Cascade 1701 virus, but I can't determine the exact strain.
Cascade was a file-infecting virus, appending its code to the end of an infected file. You can read short description here: https://wiw.org/~meta/vsum/view.php?vir=266

The closest *useful* source code I could find is this: https://github.com/guitmz/virii/blob/master/0-9/1704.asm - it is not the exact match (Cascade 1704) but is very well commented. It should get you started.
Other source codes (eg. https://github.com/guitmz/virii/blob/master/0-9/1701.asm or https://github.com/guitmz/virii/blob/master/0-9/1701-b.asm) are pretty much useless.

As for analysis environment - IDA disassembler works fine, if you set it to disassemble as 16 bit code. DOSBOX works well as the sandbox for debugging purposes.
Unfortunately I can't recommend any particular debugger, everything from the DOS days feels extremely user unfriendly. Pick whatever feels right to you.