24 lines
567 B
Text
24 lines
567 B
Text
|
rule njRat
|
||
|
{
|
||
|
meta:
|
||
|
author = " Kevin Breen <kevin@techanarchy.net>"
|
||
|
date = "2014/04"
|
||
|
ref = "http://malwareconfig.com/stats/njRat"
|
||
|
maltype = "Remote Access Trojan"
|
||
|
filetype = "exe"
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'|
|
||
|
$s2 = "netsh firewall add allowedprogram" wide
|
||
|
$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
|
||
|
$s4 = "yyyy-MM-dd" wide
|
||
|
|
||
|
$v1 = "cmd.exe /k ping 0 & del" wide
|
||
|
$v2 = "cmd.exe /c ping 127.0.0.1 & del" wide
|
||
|
$v3 = "cmd.exe /c ping 0 -n 2 & del" wide
|
||
|
|
||
|
|
||
|
condition:
|
||
|
all of ($s*) and any of ($v*)
|
||
|
}
|