rule njrat{ meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2015-05-27" description = "Identify njRat" strings: $a1 = "netsh firewall add allowedprogram " wide $a2 = "SEE_MASK_NOZONECHECKS" wide $b1 = "[TAP]" wide $b2 = " & exit" wide $c1 = "md.exe /k ping 0 & del " wide $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide $c3 = "cmd.exe /c ping" wide condition: 1 of ($a*) and 1 of ($b*) and 1 of ($c*) }