When looking through Abuse.ch's URLHaus, I found a hilarious example of great decisions that low end cyber criminals make. Mirai and Mirai-like botnet operators often host their payloads on random VPSs or sometimes victims' machines, using the default Apache2 or NGINX config. This means that you can go to the site hosting the malware, see a listing of all it's files, and often even the default HTML page for the server. 

This is a similar setup, but with a twist. They are using SimpleHTTP, a web server built into python (python3 -m http.server), to host their files. Going to the root directory, we can see the usual Mirai payloads, and some extra goodies. The ones that immediately stand out are server.go and server2.go. Getting source code for operators' servers is very useful, so this is an interesting finding.

Instead of doing command and control, these programs seem to be file severs. When a client connects over TCP, it sends the file back. Each file gets its own port, and every download is logged. It looks like server2.go is an "upgraded" version of server.go. 

As for the other files there are 2 downloader scripts, flexdoiu and flexoiu, which are targeted at Android devices, explaining the ManjiBot.apk file. The 3000 file contains a list of 3000 IP addresses. I'm not entirely sure what this is for, possibly addresses to target, or maybe a blacklist. 

If you are interested in the source code and all the other files, I have uploaded them to GitHub. 

Because of how common and similar these botnet setups are, I'm guessing there are forums or telegram chats sharing the same copy and pasted instructions teaching people how to setup  their own botnet.

  URLHaus link: https://urlhaus.abuse.ch/url/3834075/
  GitHub repo with files found: https://github.com/ConnorGadbois/lazy-cyber-criminals