Hajime Botnet downloaders may attempt to exfiltrate data or establish command and control channels by leveraging compromised Azure resources. SOC teams should proactively hunt for this behavior to identify and mitigate potential botnet activity before it leads to data breaches or network compromise.
YARA Rule
rule Hajime_DOWNLOADER : MALW
{
meta:
description = "Hajime Botnet - Downloader"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "f1cc4275d29b7eaa92a4cca015af227e"
SHA1 = "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$get = "GET /r/sr.arm5 HTTP/1.0"
$nif = "NIF\n"
condition:
$get and $nif and filesize < 700KB and hash.sha1(0,filesize) == "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Job
Description: A legitimate system maintenance job (e.g., schtasks.exe or Task Scheduler) is configured to download a script or configuration file from an internal server.
Filter/Exclusion: Check the source IP or domain against internal network ranges, and verify if the file path is within a known system maintenance directory (e.g., C:\Windows\System32\).
Scenario: Admin Performing Remote PowerShell Script Execution
Description: An administrator uses PowerShell (powershell.exe) to execute a remote script (e.g., via Invoke-Command) that downloads a file from a trusted internal server.
Filter/Exclusion: Filter by the user context (e.g., user = admin) and verify the script source is from a known internal IP or domain.
Scenario: Software Update Deployment via SCCM
Description: A Software Center (SCCM) update deployment is triggering a download of a package from a Microsoft server or internal repository.
Filter/Exclusion: Check the file hash against known good update packages, and verify the source is a trusted update server (e.g., update.microsoft.com or internal SCCM server).
Scenario: Log Collection Agent Pulling Logs from a Central Server
Description: A log collection agent (e.g., logstash, Splunk, or ELK) is configured to pull logs from a central server, which may involve downloading log files.
Filter/Exclusion: Filter by the agent process name and verify the destination path is a known log directory (e.g., C:\Logs\ or /var/log/).
Scenario: Database Backup Job Using SQL Agent
Description: A SQL Server backup job is configured to download a backup script or configuration file from a local or remote SQL Server instance