Sneed-Reactivity/yara-mikesxrs/ballastsecurity/njrat.yara

19 lines
558 B
Text
Raw Normal View History

rule njrat{
meta:
author = "Brian Wallace @botnet_hunter"
author_email = "bwall@ballastsecurity.net"
date = "2015-05-27"
description = "Identify njRat"
strings:
$a1 = "netsh firewall add allowedprogram " wide
$a2 = "SEE_MASK_NOZONECHECKS" wide
$b1 = "[TAP]" wide
$b2 = " & exit" wide
$c1 = "md.exe /k ping 0 & del " wide
$c2 = "cmd.exe /c ping 127.0.0.1 & del" wide
$c3 = "cmd.exe /c ping" wide
condition:
1 of ($a*) and 1 of ($b*) and 1 of ($c*)
}