The ThreatFox: Mirai IOCs rule detects potential Mirai botnet activity by identifying known malicious indicators associated with compromised IoT devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate large-scale DDoS attacks and lateral movement within their network.
IOC Summary
Malware Family: Mirai Total IOCs: 17 IOC Types: domain, url, sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxp://109[.]104[.]153[.]60/bins/frosty.mips | payload_delivery | 2026-06-24 | 75% |
| url | hxxp://89[.]32[.]41[.]16/bins/kla.sh | payload_delivery | 2026-06-24 | 75% |
| url | hxxp://91[.]92[.]40[.]176:67/sonnet.x86 | payload_delivery | 2026-06-24 | 75% |
| ip:port | 192[.]142[.]28[.]77:6742 | botnet_cc | 2026-06-24 | 100% |
| domain | genddos.st | botnet_cc | 2026-06-24 | 100% |
| sha256_hash | aedc3120dd7be8cb7336e8e6ed9b31fcdc01e10bc51e3491053858a4d403f001 | payload | 2026-06-24 | 80% |
| sha256_hash | 33efcefc39dabf8181aaf22dfab876531a86beb077a0eb87c77c80c5dadf2fa3 | payload | 2026-06-24 | 80% |
| sha256_hash | 863bfa0c0feb80dcdb7b9d3312c141496ccaba5017d692f016482f020c3db3a2 | payload | 2026-06-24 | 80% |
| sha256_hash | 7b15e02eb1012a75718bdbb7e4eb296337f7ddab152a72caf81f4440abf101b5 | payload | 2026-06-24 | 80% |
| sha256_hash | bb2b445a438cd2091098112e40248b332da6d01378dacf5d48c97eba74e62151 | payload | 2026-06-24 | 80% |
| sha256_hash | fbde3dfeefcc05bd893b757804dbcf3c6f1abe2e12cc28291bd778e01aa28af9 | payload | 2026-06-24 | 80% |
| sha256_hash | 52746757fcaa032ec73fa1344c12a86295b170fd44cec5ece496279b29796a17 | payload | 2026-06-24 | 80% |
| sha256_hash | b35ea6b18e0bb373da551d5aef9353b9b63878a771f6930e41f37b332bdb8fd8 | payload | 2026-06-24 | 80% |
| sha256_hash | 3fc221b4c837deedba2a10c9334aeef33acf1dd287e04208e1e2929a56cb5cad | payload | 2026-06-24 | 80% |
| sha256_hash | 68e2eaaf831a3f3ae2009b349226218be68c7eb16c0cbb051c3dacb15f51a665 | payload | 2026-06-24 | 80% |
| url | hxxp://8[.]217[.]17[.]75:2000/ml | payload_delivery | 2026-06-24 | 75% |
| sha256_hash | 0e838c6a588d00c029ea5e469e55e121688df7a6e8af7b75e53504dc81631cb5 | payload | 2026-06-24 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["192.142.28.77"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.142.28.77"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Mirai
let malicious_domains = dynamic(["genddos.st"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://109.104.153.60/bins/frosty.mips", "http://89.32.41.16/bins/kla.sh", "http://91.92.40.176:67/sonnet.x86", "http://8.217.17.75:2000/ml"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Mirai
let malicious_hashes = dynamic(["aedc3120dd7be8cb7336e8e6ed9b31fcdc01e10bc51e3491053858a4d403f001", "33efcefc39dabf8181aaf22dfab876531a86beb077a0eb87c77c80c5dadf2fa3", "863bfa0c0feb80dcdb7b9d3312c141496ccaba5017d692f016482f020c3db3a2", "7b15e02eb1012a75718bdbb7e4eb296337f7ddab152a72caf81f4440abf101b5", "bb2b445a438cd2091098112e40248b332da6d01378dacf5d48c97eba74e62151", "fbde3dfeefcc05bd893b757804dbcf3c6f1abe2e12cc28291bd778e01aa28af9", "52746757fcaa032ec73fa1344c12a86295b170fd44cec5ece496279b29796a17", "b35ea6b18e0bb373da551d5aef9353b9b63878a771f6930e41f37b332bdb8fd8", "3fc221b4c837deedba2a10c9334aeef33acf1dd287e04208e1e2929a56cb5cad", "68e2eaaf831a3f3ae2009b349226218be68c7eb16c0cbb051c3dacb15f51a665", "0e838c6a588d00c029ea5e469e55e121688df7a6e8af7b75e53504dc81631cb5"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using nc (Netcat) to perform a network diagnostic test.
Filter/Exclusion: Exclude processes initiated by user root or with sudo in the command line.
Scenario: A scheduled backup job is using tar to archive logs, which includes a file named mirror that matches a Mirai IOC.
Filter/Exclusion: Exclude files or processes related to backup tools like tar, rsync, or backupd.
Scenario: A network monitoring tool like tcpdump is capturing traffic that includes a Mirai-related string due to packet payload analysis.
Filter/Exclusion: Exclude traffic from known monitoring tools or processes with tcpdump, Wireshark, or nmap in the command line.
Scenario: A system update job is using curl to download a package from a known internal repository, which happens to match a Mirai IOC.
Filter/Exclusion: Exclude processes initiated by update tools like apt, yum, or dnf, or traffic to internal IP ranges.
Scenario: A devops pipeline is running a CI/CD tool like Jenkins or GitLab CI, which includes a script that temporarily uses a Mirai-related command for testing.
Filter/Exclusion: Exclude processes with jenkins, gitlab-runner, or docker in the command line, or those running in a CI/CD context.