SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chaperone (Back to overview)

Chaperone

aka: Taj Mahal
VTCollection    

According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.

References
2020-01-24Github (TheEnergyStory)R136a1
Project TajMahal IOCs and Registry Data Decrypter
Chaperone
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-04-10Kaspersky LabsAMR, GReAT
Project TajMahal – a sophisticated new APT framework
Chaperone
Yara Rules
[TLP:WHITE] win_chaperone_auto (20230808 | Detects win.chaperone.)
rule win_chaperone_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.chaperone."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f3a4 488dbc2458010000 488d35d6490100 b918000000 f3a4 48c784245001000000000000 83bc249002000000 }
            // n = 7, score = 100
            //   f3a4                 | dec                 eax
            //   488dbc2458010000     | add                 ecx, dword ptr [eax + 0x238]
            //   488d35d6490100       | dec                 eax
            //   b918000000           | mov                 eax, dword ptr [esp + 0x20]
            //   f3a4                 | dec                 eax
            //   48c784245001000000000000     | mov    dword ptr [eax + 0x240], ecx
            //   83bc249002000000     | dec                 eax

        $sequence_1 = { 85c9 782e 3b0d???????? 7326 4863c9 488d15f8ca0100 488bc1 }
            // n = 7, score = 100
            //   85c9                 | lea                 ecx, [esp + 0x950]
            //   782e                 | mov                 edx, dword ptr [esp + 0x20]
            //   3b0d????????         |                     
            //   7326                 | dec                 esp
            //   4863c9               | lea                 eax, [esp + 0x40]
            //   488d15f8ca0100       | mov                 edx, 0x10
            //   488bc1               | dec                 eax

        $sequence_2 = { eb05 1bc0 83d8ff 85c0 0f8475010000 488d15aeaf0100 488d8c24ec040000 }
            // n = 7, score = 100
            //   eb05                 | inc                 ecx
            //   1bc0                 | cmp                 al, bh
            //   83d8ff               | dec                 eax
            //   85c0                 | add                 eax, esi
            //   0f8475010000         | dec                 eax
            //   488d15aeaf0100       | arpl                word ptr [ecx + eax + 4], bx
            //   488d8c24ec040000     | dec                 eax

        $sequence_3 = { 488d9424a8020000 488b4c2430 ff15???????? 81bc24a802000003010000 0f8486000000 }
            // n = 5, score = 100
            //   488d9424a8020000     | dec                 eax
            //   488b4c2430           | mov                 edx, dword ptr [esp + 0x4a8]
            //   ff15????????         |                     
            //   81bc24a802000003010000     | dec    eax
            //   0f8486000000         | mov                 ecx, dword ptr [esp + 0x490]

        $sequence_4 = { 751f 83bc24d001000002 7515 83bc24c801000001 720b c78424a801000005000000 83bc24c401000006 }
            // n = 7, score = 100
            //   751f                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   83bc24d001000002     | dec                 eax
            //   7515                 | mov                 ecx, dword ptr [esp + 0x740]
            //   83bc24c801000001     | mov                 dword ptr [esp + 0x30], 1
            //   720b                 | cmp                 dword ptr [esp + 0x30], 0
            //   c78424a801000005000000     | je    0x89e
            //   83bc24c401000006     | dec                 eax

        $sequence_5 = { 488d94088c020000 488b8c2438490000 e8???????? 89842444490000 83bc244449000000 }
            // n = 5, score = 100
            //   488d94088c020000     | mov                 edx, dword ptr [esp + 0xbf8]
            //   488b8c2438490000     | inc                 ecx
            //   e8????????           |                     
            //   89842444490000       | mov                 eax, 0x104
            //   83bc244449000000     | dec                 eax

        $sequence_6 = { ff15???????? 488905???????? 48833d????????00 750b c78424c801000002000000 488d9424a0020000 488b8c2480030000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488905????????       |                     
            //   48833d????????00     |                     
            //   750b                 | xor                 eax, esp
            //   c78424c801000002000000     | dec    eax
            //   488d9424a0020000     | mov                 dword ptr [esp + 0x3f0], eax
            //   488b8c2480030000     | dec                 eax

        $sequence_7 = { 0fb702 66898424d0000000 488d9424f0020000 488d8c24d0000000 ff15???????? 488d8c24d0000000 ff15???????? }
            // n = 7, score = 100
            //   0fb702               | dec                 eax
            //   66898424d0000000     | mov                 eax, dword ptr [esp + 0x3a0]
            //   488d9424f0020000     | movzx               eax, word ptr [eax + ecx*2 + 0xc]
            //   488d8c24d0000000     | cmp                 eax, 0x5c
            //   ff15????????         |                     
            //   488d8c24d0000000     | je                  0x9af
            //   ff15????????         |                     

        $sequence_8 = { ff15???????? 66ba5c00 488d4c2440 e8???????? 4889842450020000 488b842450020000 4883c002 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   66ba5c00             | jne                 0xe91
            //   488d4c2440           | mov                 dword ptr [esp + 0x1c8], 5
            //   e8????????           |                     
            //   4889842450020000     | dec                 eax
            //   488b842450020000     | lea                 edx, [esp + 0xe8]
            //   4883c002             | dec                 eax

        $sequence_9 = { 49c1fe05 4c8d3d40cc0100 83e61f 486bf658 4b8b04f7 0fbe4c3008 83e101 }
            // n = 7, score = 100
            //   49c1fe05             | imul                ecx, ecx, 0x498
            //   4c8d3d40cc0100       | dec                 eax
            //   83e61f               | mov                 eax, dword ptr [esp + 0xa0]
            //   486bf658             | dec                 esp
            //   4b8b04f7             | lea                 eax, [eax + ecx + 0x84]
            //   0fbe4c3008           | mov                 dword ptr [esp + 0x28], 1
            //   83e101               | mov                 dword ptr [esp + 0x20], 1

    condition:
        7 of them and filesize < 373760
}
Download all Yara Rules