Hajime Botnet activity is detected through suspicious network communication patterns indicative of botnet command and control interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential botnet infections early in the attack lifecycle.
YARA Rule
rule Hajime_generic_ARCH : MALW
{
meta:
description = "Hajime Botnet - generic arch"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System backup process using rsync or tar
Filter/Exclusion: Check for command-line arguments containing --backup, --exclude, or paths like /var/backups/ or /home/user/backup/
Scenario: Scheduled system maintenance task using cron or systemd
Filter/Exclusion: Filter out processes with cron, systemd, or at in the command line, or check for timestamps matching scheduled job intervals
Scenario: Admin using scp or rsync to transfer files between servers
Filter/Exclusion: Include filters for scp, rsync, or ssh in the command line, or check for source/destination paths within the internal network
Scenario: Log rotation using logrotate or rsyslog
Filter/Exclusion: Filter for logrotate, rsyslog, or log in the command line, or check for paths like /var/log/ or /etc/logrotate.d/
Scenario: Software update or patch deployment using yum, apt, or dnf
Filter/Exclusion: Include filters for yum, apt, dnf, or update in the command line, or check for paths like /var/cache/apt/ or /var/log/yum/