Mirai Downloader

Hunt Hypothesis

The Mirai Downloader rule detects potential adversary behavior involving the download of malicious payloads commonly associated with the Mirai botnet, which may indicate initial compromise or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they escalate into widespread network compromise.

YARA Rule

rule Mirai_Dwnl : MALW
{
	meta:
		description = "Mirai Downloader"
		author = "Joan Soriano / @joanbtl"
		date = "2017-04-16"
		version = "1.0"
		MD5 = "85784b54dee0b7c16c57e3a3a01db7e6"
		SHA1 = "6f6c625ef730beefbc23c7f362af329426607dee"
	strings:
		$s1 = "GET /mirai/"
		$s2 = "dvrHelper"
	condition:
		$s1 and $s2
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using tar or rsync
  Description: A legitimate scheduled backup job uses tar or rsync to archive and transfer files, which may resemble the command-line behavior of the Mirai downloader.
  Filter/Exclusion: Exclude processes initiated by the system’s cron or systemd job scheduler, or filter by the presence of backup directories (e.g., /backup, /var/backups).

• Scenario: Admin Task Using wget or curl for Configuration Sync
  Description: An administrator uses wget or curl to fetch configuration files from a central server, which could be mistaken for a Mirai downloader.
  Filter/Exclusion: Exclude traffic originating from known admin user IDs (e.g., root, admin) or filter by URLs matching internal configuration servers (e.g., https://config.example.com).

• Scenario: Log Collection Agent Using scp or rsync
  Description: A log aggregation tool like rsyslog or Fluentd uses scp or rsync to transfer logs to a central logging server, which may trigger the Mirai downloader rule.
  Filter/Exclusion: Exclude processes associated with log collection tools (e.g., rsyslogd, fluentd) or filter by destination directories (e.g., /var/log/central).

• Scenario: Software Update via yum or apt
  Description: A system update using yum or apt may involve downloading packages from a repository, which could be flagged by the Mirai downloader rule.
  Filter/Exclusion: Exclude processes initiated by package managers (e.g., yum, apt) or filter by repository URLs (e.g., http://repo.example.com).

• **Scenario