SYMBOLCOMMON_NAMEaka. SYNONYMS
js.node_rat (Back to overview)

NodeRAT

Actor(s): Tick

There is no description at this point.

References
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2019-11-11Virus BulletinShusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3, author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi}, title = {{APT cases exploiting vulnerabilities in region‑specific software}}, date = {2019-11-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/}, language = {English}, urldate = {2020-05-13} } APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
2019-02-19JPCERT/CCShusei Tomonaga
@online{tomonaga:20190219:tick:83ca850, author = {Shusei Tomonaga}, title = {{攻撃グループTickによる日本の組織をターゲットにした攻撃活動}}, date = {2019-02-19}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html}, language = {Japanese}, urldate = {2020-04-01} } 攻撃グループTickによる日本の組織をターゲットにした攻撃活動
NodeRAT
Yara Rules
[TLP:WHITE] js_node_rat_w0 (20200406 | detect Noderat in memory)
rule js_node_rat_w0 {
          meta:
            description = "detect Noderat in memory"
            author = "JPCERT/CC Incident Response Group"
            rule_usage = "memory scan"
            reference = "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html"
            source = "https://github.com/JPCERTCC/MalConfScan/blob/65159d9a558dfba3ca3faece2592a71cb51f1edc/yara/rule.yara#L427"

            malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat"
            malpedia_version = "20200406"
            malpedia_license = "CC BY-NC-SA 4.0"
            malpedia_sharing = "TLP:WHITE"
          strings:
            $config = "/config/app.json"
            $key = "/config/.regeditKey.rc"
            $message = "uninstall error when readFileSync: "

          condition: all of them
}
Download all Yara Rules