Hajime Botnet - SH4

Hunt Hypothesis

Hajime Botnet - SH4 detects potential botnet command and control activity through suspicious SH4 binary execution patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they escalate.

YARA Rule

rule Hajime_SH4 : MALW
{
meta:
description = "Hajime Botnet - SH4"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "6f39d7311091166a285fb0654b454761"
SHA1 = "3ed95ead04e59a2833538541978b79a9a8cb5290"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"

strings:
	$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
	$etcTZ = "/etc/TZ"
	$Mvrs = ",M4.1.0,M10.5.0"
	$bld = "%u.%u.%u.%u.in-addr.arpa"

condition:
	$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "3ed95ead04e59a2833538541978b79a9a8cb5290"

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patch deployment using Ansible or Chef
  Filter/Exclusion: Exclude processes initiated by known configuration management tools using the process.parent field or process.name matching Ansible or Chef binaries.

• Scenario: Scheduled backup job using Veeam or Commvault
  Filter/Exclusion: Exclude processes with process.name matching Veeam or Commvault executables, or filter by process.command_line containing backup-related keywords.

• Scenario: Admin task to configure SNMP or Syslog services
  Filter/Exclusion: Exclude processes with process.name matching snmpd or syslog-ng, or filter by process.command_line containing SNMP or syslog configuration commands.

• Scenario: Legitimate use of Docker or Kubernetes for container orchestration
  Filter/Exclusion: Exclude processes with process.name matching docker or kubelet, or filter by process.parent indicating a container runtime or orchestrator.

• Scenario: Network monitoring tool like Wireshark or tcpdump capturing traffic
  Filter/Exclusion: Exclude processes with process.name matching tcpdump or wireshark, or filter by process.command_line containing capture filters or specific network interfaces.