SYMBOLCOMMON_NAMEaka. SYNONYMS
js.node_rat (Back to overview)

NodeRAT

Actor(s): Tick

There is no description at this point.

References
2020-01-17JPCERT/CCTakayoshi Shiigi
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2019-11-11Virus BulletinHiroshi Soeda, Shusei Tomonaga, Tomoaki Tani, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX
2019-02-19JPCERT/CCShusei Tomonaga
攻撃グループTickによる日本の組織をターゲットにした攻撃活動
NodeRAT
Yara Rules
[TLP:WHITE] js_node_rat_w0 (20200406 | detect Noderat in memory)
rule js_node_rat_w0 {
          meta:
            description = "detect Noderat in memory"
            author = "JPCERT/CC Incident Response Group"
            rule_usage = "memory scan"
            reference = "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html"
            source = "https://github.com/JPCERTCC/MalConfScan/blob/65159d9a558dfba3ca3faece2592a71cb51f1edc/yara/rule.yara#L427"

            malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat"
            malpedia_version = "20200406"
            malpedia_license = "CC BY-NC-SA 4.0"
            malpedia_sharing = "TLP:WHITE"
          strings:
            $config = "/config/app.json"
            $key = "/config/.regeditKey.rc"
            $message = "uninstall error when readFileSync: "

          condition: all of them
}
Download all Yara Rules