19 lines
No EOL
558 B
Text
19 lines
No EOL
558 B
Text
rule njrat{
|
|
meta:
|
|
author = "Brian Wallace @botnet_hunter"
|
|
author_email = "bwall@ballastsecurity.net"
|
|
date = "2015-05-27"
|
|
description = "Identify njRat"
|
|
strings:
|
|
$a1 = "netsh firewall add allowedprogram " wide
|
|
$a2 = "SEE_MASK_NOZONECHECKS" wide
|
|
|
|
$b1 = "[TAP]" wide
|
|
$b2 = " & exit" wide
|
|
|
|
$c1 = "md.exe /k ping 0 & del " wide
|
|
$c2 = "cmd.exe /c ping 127.0.0.1 & del" wide
|
|
$c3 = "cmd.exe /c ping" wide
|
|
condition:
|
|
1 of ($a*) and 1 of ($b*) and 1 of ($c*)
|
|
} |