Hajime Botnet - MIPS

Hunt Hypothesis

Hajime Botnet activity is detected through MIPS-based communication patterns indicative of command and control interactions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential botnet infections early.

YARA Rule

rule Hajime_MIPS : MALW
{
meta:
description = "Hajime Botnet - MIPS"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"

strings:
	$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
	$etcTZ = "/etc/TZ"
	$Mvrs = ",M4.1.0,M10.5.0"
	$bld = "%u.%u.%u.%u.in-addr.arpa"

condition:
	$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "108ee460d4c11ea373b7bba92086dd8023c0654f"

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System Maintenance Task Using MIPS Binary
  Description: A system administrator is running a legitimate maintenance script that uses a MIPS binary for hardware diagnostics.
  Filter/Exclusion: process.name != "diagnostic_tool_mips" or process.parent.name != "systemd"

• Scenario: Scheduled Job for Network Monitoring
  Description: A network monitoring tool (e.g., ntopng) is configured to run a MIPS-based analysis tool periodically as part of its monitoring process.
  Filter/Exclusion: process.name != "ntopng_analysis_tool" or process.parent.name != "cron"

• Scenario: Admin Task Involving MIPS Emulation
  Description: A developer is testing a MIPS emulator (e.g., QEMU MIPS) for cross-platform compatibility testing.
  Filter/Exclusion: process.name != "qemu-system-mips" or process.parent.name != "bash"

• Scenario: Legitimate Firmware Update Process
  Description: A firmware update is being applied to a MIPS-based device (e.g., a router or IoT device) using a known vendor tool.
  Filter/Exclusion: process.name != "firmware_updater_mips" or process.parent.name != "update_manager"

• Scenario: Security Tool Using MIPS for Analysis
  Description: A security tool (e.g., Cuckoo Sandbox) is running a MIPS-based sandbox environment to analyze malware.
  Filter/Exclusion: process.name != "cuckoo_mips_sandbox" or process.parent.name != "cuckoo"