1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
import "hash"
rule Hajime_generic_ARCH : MALW
{
meta:
description = "Hajime Botnet - generic arch"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld
}
rule Hajime_MIPS : MALW
{
meta:
description = "Hajime Botnet - MIPS"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "108ee460d4c11ea373b7bba92086dd8023c0654f"
}
rule Hajime_ARM5 : MALW
{
meta:
description = "Hajime Botnet - ARM5"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "d8821a03b9dc484144285d9051e0b2d3"
SHA1 = "89ec638b95b289dbce0535b4a2c5aad90c169d06"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "89ec638b95b289dbce0535b4a2c5aad90c169d06"
}
rule Hajime_SH4 : MALW
{
meta:
description = "Hajime Botnet - SH4"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "6f39d7311091166a285fb0654b454761"
SHA1 = "3ed95ead04e59a2833538541978b79a9a8cb5290"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "3ed95ead04e59a2833538541978b79a9a8cb5290"
}
rule Hajime_DOWNLOADER : MALW
{
meta:
description = "Hajime Botnet - Downloader"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "f1cc4275d29b7eaa92a4cca015af227e"
SHA1 = "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$get = "GET /r/sr.arm5 HTTP/1.0"
$nif = "NIF\n"
condition:
$get and $nif and filesize < 700KB and hash.sha1(0,filesize) == "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
}