Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
feb521f7
Commit
feb521f7
authored
8 years ago
by
j0sm1
Committed by
GitHub
8 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
IOT malware Hajime
IOT malware Hajime
parent
69814327
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
115 additions
and
0 deletions
+115
-0
MALW_Hajime.yar
malware/MALW_Hajime.yar
+115
-0
No files found.
malware/MALW_Hajime.yar
0 → 100644
View file @
feb521f7
import "hash"
rule Hajime_generic_ARCH : MALW
{
meta:
description = "Hajime Botnet - generic arch"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld
}
rule Hajime_MIPS : MALW
{
meta:
description = "Hajime Botnet - MIPS"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "77122e0e6fcf18df9572d80c4eedd88d"
SHA1 = "108ee460d4c11ea373b7bba92086dd8023c0654f"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "108ee460d4c11ea373b7bba92086dd8023c0654f"
}
rule Hajime_ARM5 : MALW
{
meta:
description = "Hajime Botnet - ARM5"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "d8821a03b9dc484144285d9051e0b2d3"
SHA1 = "89ec638b95b289dbce0535b4a2c5aad90c169d06"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "89ec638b95b289dbce0535b4a2c5aad90c169d06"
}
rule Hajime_SH4 : MALW
{
meta:
description = "Hajime Botnet - SH4"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "6f39d7311091166a285fb0654b454761"
SHA1 = "3ed95ead04e59a2833538541978b79a9a8cb5290"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$userpass = "%d (!=0),user/pass auth will not work, ignored.\n"
$etcTZ = "/etc/TZ"
$Mvrs = ",M4.1.0,M10.5.0"
$bld = "%u.%u.%u.%u.in-addr.arpa"
condition:
$userpass and $etcTZ and $Mvrs and $bld and hash.sha1(0,filesize) == "3ed95ead04e59a2833538541978b79a9a8cb5290"
}
rule Hajime_DOWNLOADER : MALW
{
meta:
description = "Hajime Botnet - Downloader"
author = "Joan Soriano / @joanbtl"
date = "2017-05-01"
version = "1.0"
MD5 = "f1cc4275d29b7eaa92a4cca015af227e"
SHA1 = "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
ref1 = "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things/"
ref2 = "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
strings:
$get = "GET /r/sr.arm5 HTTP/1.0"
$nif = "NIF\n"
condition:
$get and $nif and filesize < 700KB and hash.sha1(0,filesize) == "e649e0d97cc23c8c4bbd78be430a49a4babbccd7"
}
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment