Update Njrat.yar

malware/Njrat.yar

@@ -33,3 +33,23 @@ rule Njrat
     condition:
         10 of them
 }
+rule njrat1
+{
+    meta:
+        author = "Brian Wallace @botnet_hunter"
+        author_email = "bwall@ballastsecurity.net"
+        date = "2015-05-27"
+        description = "Identify njRat"
+    strings:
+        $a1 = "netsh firewall add allowedprogram " wide
+        $a2 = "SEE_MASK_NOZONECHECKS" wide
+
+        $b1 = "[TAP]" wide
+        $b2 = " & exit" wide
+
+        $c1 = "md.exe /k ping 0 & del " wide
+        $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide
+        $c3 = "cmd.exe /c ping" wide
+    condition:
+        1 of ($a*) and 1 of ($b*) and 1 of ($c*)
+}