← Back to SOC feed Coverage →

Hajime Botnet - ARM5

yara LOW Yara-Rules
community
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-06-16T11:00:00Z · Confidence: medium

Hunt Hypothesis

Hajime Botnet - ARM5 detects potential botnet command and control activity through suspicious ARM5-based communication patterns indicative of compromised devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they escalate.

YARA Rule

rule Hajime_ARM5 : MALW
{
meta:
description = "Hajime Botnet - ARM5"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "d8821a03b9dc484144285d9051e0b2d3"
SHA1 = "89ec638b95b289dbce0535b4a2c5aad90c169d06"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"

strings:
	$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
	$etcTZ = "/etc/TZ"
	$Mvrs = ",M4.1.0,M10.5.0"
	$bld = "%u.%u.%u.%u.in-addr.arpa"

condition:
	$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "89ec638b95b289dbce0535b4a2c5aad90c169d06"

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 4 string patterns in its detection logic.

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/MALW_Hajime.yar