Detects Mirai Okiru MALW

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Mirai Okiru malware activity by monitoring for suspicious network behavior indicative of botnet communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they cause widespread disruption.

YARA Rule

rule Mirai_Okiru {
	meta:
		description = "Detects Mirai Okiru MALW"
		reference = "https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/"
		date = "2018-01-05"

	strings:
		$hexsts01 = { 68 7f 27 70 60 62 73 3c 27 28 65 6e 69 28 65 72 }
		$hexsts02 = { 74 7e 65 68 7f 27 73 61 73 77 3c 27 28 65 6e 69 }
		// noted some Okiru variant doesnt have below function, uncomment to seek specific x86 bins
    // $st07 = "iptables -F\n" fullword nocase wide ascii
    
	condition:
    		all of them
		and is__elf
		and is__Mirai_gen7
		and filesize < 100KB 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://www.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/
• Source Rule

False Positive Guidance

• Scenario: System Backup Job Using nc for Internal Network Testing
  Description: A scheduled backup job uses nc (Netcat) to test connectivity to an internal server for validation purposes.
  Filter/Exclusion: Exclude traffic where the source IP is part of a known internal backup system and the destination port is a common internal service port (e.g., 22, 80, 443).
  Example Filter: src_ip IN (192.168.1.10, 192.168.1.20) AND dst_port IN (22, 80, 443)

• Scenario: Admin Performing Remote Management via SSH with nc for Debugging
  Description: An admin uses nc to test SSH connectivity or debug network issues from a remote location.
  Filter/Exclusion: Exclude traffic where the process is initiated by a known admin user (e.g., root, admin) and the command includes ssh or nc -zv.
  Example Filter: process_owner IN (root, admin) AND command_line CONTAINS "nc -zv"

• Scenario: Scheduled Cron Job Using nc to Test DNS Resolution
  Description: A cron job runs periodically to test DNS resolution by using nc to query a DNS server.
  Filter/Exclusion: Exclude traffic where the command line includes nc with DNS-related arguments (e.g., nc -zv 8.8.8.8 53).
  Example Filter: command_line CONTAINS "nc -zv 8.8.8.8 53"

• Scenario: Network Monitoring Tool Using nc for Port Scanning
  Description: A network monitoring tool like `