ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 153.117.33.140:23.
Database Entry
| IOC ID: | 1837558 |
|---|---|
| IOC: | 153.117.33.140:23 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | Mirai |
| Malware alias: | Katana |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | False |
| ASN: | AS9541 CYBERNET-AP |
| Country: |  PK |
| First seen: | 2026-06-25 18:52:34 UTC |
| Last seen: | never |
| UUID: | 096e3884-70c2-11f1-97fa-42010aa4000a |
| Reporter |  Speculus |
| Reward |
10 credits from anonymous |
| Tags: | Mirai Variant |
| Reference: | https://speculus.co/search?ip=153.117.33.140 |
Speculus
Timestamp : 2026-06-25T18:01:51ZSummary:
Automated Telnet brute-force and multi-directory write-permission testing targeting embedded Linux architectures. The host cycled through standard volatile filesystem paths to create a hidden verification artifact (.x) and change directories, concluding with a hex-encoded verification string (CWAOYA) to ensure root write access.
Hueristic Detection:
Target Vector: T1110.001 (Brute Force) / T1059.004 (Unix Shell)
IP Address: 153.117.33.140
Target Port: 23 (Telnet)
TTL: 127 (Maybe Windows)
Execution Footprint: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '\x43\x57\x41\x4f\x59\x41'