SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chaperone (Back to overview)

Chaperone

aka: Taj Mahal
VTCollection    

According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.

References
2020-01-24Github (TheEnergyStory)R136a1
Project TajMahal IOCs and Registry Data Decrypter
Chaperone
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-04-10Kaspersky LabsAMR, GReAT
Project TajMahal – a sophisticated new APT framework
Chaperone
Yara Rules
[TLP:WHITE] win_chaperone_auto (20260504 | Detects win.chaperone.)
rule win_chaperone_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.chaperone."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8557010000 488dbc2428050000 488d35aca90100 b92a000000 f3a4 488d8c2428050000 e8???????? }
            // n = 7, score = 100
            //   0f8557010000         | mov                 eax, 0x1f
            //   488dbc2428050000     | dec                 eax
            //   488d35aca90100       | mov                 ecx, dword ptr [esp + 0x40]
            //   b92a000000           | dec                 eax
            //   f3a4                 | add                 ecx, 5
            //   488d8c2428050000     | inc                 ecx
            //   e8????????           |                     

        $sequence_1 = { 488d1591c80000 448bc7 8bcf ff15???????? }
            // n = 4, score = 100
            //   488d1591c80000       | dec                 eax
            //   448bc7               | mov                 dword ptr [esp + 0x4b8], eax
            //   8bcf                 | dec                 eax
            //   ff15????????         |                     

        $sequence_2 = { e8???????? 4863942440010000 4c8d442430 488b4c2420 e8???????? 488b8c2458010000 4833cc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4863942440010000     | cmp                 dword ptr [esp + 0x4938], 0
            //   4c8d442430           | je                  0xccf
            //   488b4c2420           | mov                 dword ptr [esp + 0x4940], 0
            //   e8????????           |                     
            //   488b8c2458010000     | xor                 edx, edx
            //   4833cc               | mov                 ecx, 0x1f0001

        $sequence_3 = { 488d7b58 be06000000 488d05d5bd0100 483947f0 }
            // n = 4, score = 100
            //   488d7b58             | jmp                 0x6db
            //   be06000000           | dec                 eax
            //   488d05d5bd0100       | mov                 ecx, dword ptr [esp + 0x30]
            //   483947f0             | dec                 eax

        $sequence_4 = { 89442424 448b442424 33d2 b900040000 ff15???????? 4889442470 48837c247000 }
            // n = 7, score = 100
            //   89442424             | jne                 0x6c8
            //   448b442424           | dec                 eax
            //   33d2                 | lea                 edi, [esp + 0x108]
            //   b900040000           | dec                 eax
            //   ff15????????         |                     
            //   4889442470           | lea                 esi, [0x8c3b]
            //   48837c247000         | mov                 ecx, 0x1d

        $sequence_5 = { 837c243000 740a 83bc24a00700001f 7545 488d442434 4889442428 8b8424a0070000 }
            // n = 7, score = 100
            //   837c243000           | mov                 dword ptr [esp + 0x48], 1
            //   740a                 | jmp                 0xb49
            //   83bc24a00700001f     | dec                 eax
            //   7545                 | lea                 edx, [esp + 0x50]
            //   488d442434           | dec                 eax
            //   4889442428           | lea                 ecx, [esp + 0x80]
            //   8b8424a0070000       | dec                 eax

        $sequence_6 = { 48898424c0020000 837c243400 746b 4c8b842490000000 8b542434 488b8c24c0020000 e8???????? }
            // n = 7, score = 100
            //   48898424c0020000     | test                eax, eax
            //   837c243400           | je                  0x58a
            //   746b                 | mov                 dword ptr [esp + 0x260], 1
            //   4c8b842490000000     | jmp                 0x58f
            //   8b542434             | dec                 eax
            //   488b8c24c0020000     | lea                 ecx, [esp + 0x8280]
            //   e8????????           |                     

        $sequence_7 = { 488d8c24b0440000 e8???????? 4885c0 0f8441030000 488d8c24b0440000 e8???????? }
            // n = 6, score = 100
            //   488d8c24b0440000     | mov                 ebx, eax
            //   e8????????           |                     
            //   4885c0               | mov                 eax, dword ptr [esp + 0x20]
            //   0f8441030000         | mov                 ecx, dword ptr [esp + 0x48]
            //   488d8c24b0440000     | sub                 ecx, eax
            //   e8????????           |                     

        $sequence_8 = { 4533c0 33d2 33c9 e8???????? 4c8d050c0a0100 498bd5 488bcf }
            // n = 7, score = 100
            //   4533c0               | lea                 ecx, [esp + 0x88]
            //   33d2                 | dec                 esp
            //   33c9                 | mov                 dword ptr [esp + 0xe0], ebx
            //   e8????????           |                     
            //   4c8d050c0a0100       | dec                 eax
            //   498bd5               | mov                 edx, eax
            //   488bcf               | dec                 eax

        $sequence_9 = { 4889442450 488b8424a8000000 4889442448 488b8424a0000000 4889442440 }
            // n = 5, score = 100
            //   4889442450           | mov                 byte ptr [esp + 0x295], 0x49
            //   488b8424a8000000     | mov                 byte ptr [esp + 0x296], 0x4c
            //   4889442448           | mov                 byte ptr [esp + 0x297], 0x11
            //   488b8424a0000000     | mov                 dword ptr [esp + 0x30], 0
            //   4889442440           | mov                 byte ptr [esp + 0x296], 0x4c

    condition:
        7 of them and filesize < 373760
}
Download all Yara Rules