rule njRat { meta: author = " Kevin Breen " date = "2014/04" ref = "http://malwareconfig.com/stats/njRat" maltype = "Remote Access Trojan" filetype = "exe" strings: $s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'| $s2 = "netsh firewall add allowedprogram" wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide $s4 = "yyyy-MM-dd" wide $v1 = "cmd.exe /k ping 0 & del" wide $v2 = "cmd.exe /c ping 127.0.0.1 & del" wide $v3 = "cmd.exe /c ping 0 -n 2 & del" wide condition: all of ($s*) and any of ($v*) }