Mirai Variant 5

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Mirai Variant 5 botnet activity through unusual network traffic patterns indicative of distributed denial-of-service attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they cause widespread disruption.

YARA Rule

rule Mirai_5 : MALW
{
	meta:
		description = "Mirai Variant 5"
		author = "Joan Soriano / @joanbtl"
		date = "2017-04-16"
		version = "1.0"
		MD5 = "7e17c34cddcaeb6755c457b99a8dfe32"
		SHA1 = "b63271672d6a044704836d542d92b98e2316ad24"

	strings:
		    $dir1 = "/dev/watchdog"
		    $dir2 = "/dev/misc/watchdog"
		    $s1 = "PMMV"
		    $s2 = "ZOJFKRA"
		    $s3 = "FGDCWNV"
		    $s4 = "OMVJGP"
		    $ssl = "ssl3_ctrl"
	condition:
		    $dir1 and $dir2 and $s1 and $s2 and $s3 and $s4 and $ssl

}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using rsync
  Description: A legitimate scheduled backup job using rsync may trigger the rule due to similar command patterns.
  Filter/Exclusion: Check for the presence of rsync in the command line and exclude processes with /usr/bin/rsync or /bin/rsync in the path.

• Scenario: Admin Task Using nc for Network Diagnostics
  Description: System administrators may use nc (netcat) for network testing or port scanning as part of routine maintenance.
  Filter/Exclusion: Filter out processes initiated by admin users (e.g., root, admin, sudo) or those containing known diagnostic flags like -z or -w.

• Scenario: Cron Job for Log Rotation
  Description: A cron job that rotates logs using logrotate might include nc or similar utilities, causing a false positive.
  Filter/Exclusion: Exclude processes with /usr/sbin/logrotate in the command line or those running under the cron user.

• Scenario: Docker Container Communication
  Description: Docker containers may use nc or telnet to communicate between containers or with external services.
  Filter/Exclusion: Filter out processes running inside Docker containers by checking for /proc/self/cgroup or using container-specific labels.

• Scenario: Security Tool for Network Monitoring
  Description: Security tools like nmap or tcpdump may use nc for network monitoring or packet analysis.
  Filter/Exclusion: Exclude processes that match known security tool binaries (e.g., /usr/bin/nmap, /usr/sbin/tcpdump) or those running with elevated privileges.