SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chaperone (Back to overview)

Chaperone

aka: Taj Mahal

According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.

References
2020-01-24Github (TheEnergyStory)R136a1
@online{r136a1:20200124:project:668d490, author = {R136a1}, title = {{Project TajMahal IOCs and Registry Data Decrypter}}, date = {2020-01-24}, organization = {Github (TheEnergyStory)}, url = {https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal}, language = {English}, urldate = {2020-01-27} } Project TajMahal IOCs and Registry Data Decrypter
Chaperone
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-04-10Kaspersky LabsAMR, GReAT
@online{amr:20190410:project:460b6e5, author = {AMR and GReAT}, title = {{Project TajMahal – a sophisticated new APT framework}}, date = {2019-04-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/project-tajmahal/90240/}, language = {English}, urldate = {2019-12-20} } Project TajMahal – a sophisticated new APT framework
Chaperone
Yara Rules
[TLP:WHITE] win_chaperone_auto (20230715 | Detects win.chaperone.)
rule win_chaperone_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.chaperone."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b8424a0050000 488914c8 488b8424b8050000 8b00 83e801 4898 488d542430 }
            // n = 7, score = 100
            //   488b8424a0050000     | dec                 eax
            //   488914c8             | mov                 eax, dword ptr [esp + 0x40]
            //   488b8424b8050000     | dec                 eax
            //   8b00                 | mov                 dword ptr [eax + 0x240], 0
            //   83e801               | dec                 eax
            //   4898                 | mov                 eax, dword ptr [esp + 0x40]
            //   488d542430           | mov                 dword ptr [eax + 8], 0xffffffff

        $sequence_1 = { 488d542440 488b8c2498070000 e8???????? 488d542440 488d8c24a0020000 ff15???????? 66ba5c00 }
            // n = 7, score = 100
            //   488d542440           | mov                 edx, dword ptr [esp + 0xb0]
            //   488b8c2498070000     | dec                 eax
            //   e8????????           |                     
            //   488d542440           | mov                 eax, dword ptr [esp + 0xa0]
            //   488d8c24a0020000     | mov                 ecx, dword ptr [eax + ecx]
            //   ff15????????         |                     
            //   66ba5c00             | jne                 0xa38

        $sequence_2 = { e8???????? 85c0 742d 488d0567a70100 4883c310 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   742d                 | mov                 edx, eax
            //   488d0567a70100       | dec                 eax
            //   4883c310             | mov                 eax, dword ptr [esp + 0x5b8]

        $sequence_3 = { ff15???????? 85c0 750a c744243001000000 eb02 eb9e 837c243000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | inc                 ebp
            //   750a                 | xor                 ecx, ecx
            //   c744243001000000     | inc                 ecx
            //   eb02                 | mov                 eax, 1
            //   eb9e                 | mov                 edx, 0x80000000
            //   837c243000           | dec                 eax

        $sequence_4 = { e8???????? 488d7c2428 488d35eb9a0000 b91e000000 f3a4 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488d7c2428           | mov                 ecx, dword ptr [esp + ecx*8 + 0x240]
            //   488d35eb9a0000       | dec                 eax
            //   b91e000000           | lea                 edx, [esp + 0x30]
            //   f3a4                 | dec                 eax

        $sequence_5 = { b92e000000 f3a4 488dbc2488020000 488d35f8c40100 b926000000 f3a4 }
            // n = 6, score = 100
            //   b92e000000           | lea                 ecx, [0x1e610]
            //   f3a4                 | inc                 ebp
            //   488dbc2488020000     | xor                 eax, eax
            //   488d35f8c40100       | xor                 edx, edx
            //   b926000000           | xor                 ecx, ecx
            //   f3a4                 | dec                 eax

        $sequence_6 = { c6442457d0 c644245820 c644245902 c644245a15 }
            // n = 4, score = 100
            //   c6442457d0           | dec                 eax
            //   c644245820           | lea                 ecx, [esp + 0x2a0]
            //   c644245902           | mov                 dword ptr [esp + 0x74c], 0
            //   c644245a15           | dec                 eax

        $sequence_7 = { e8???????? c744242000000000 eb0b 8b442420 83c001 89442420 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   c744242000000000     | lea                 eax, [0x17b9c]
            //   eb0b                 | dec                 eax
            //   8b442420             | sub                 esp, 0x20
            //   83c001               | dec                 eax
            //   89442420             | mov                 ebx, ecx

        $sequence_8 = { 488b8c24a0010000 ff15???????? 488905???????? 488d942480020000 488b8c24a0010000 ff15???????? 488905???????? }
            // n = 7, score = 100
            //   488b8c24a0010000     | dec                 esp
            //   ff15????????         |                     
            //   488905????????       |                     
            //   488d942480020000     | mov                 eax, dword ptr [esp + 0xe0]
            //   488b8c24a0010000     | dec                 esp
            //   ff15????????         |                     
            //   488905????????       |                     

        $sequence_9 = { 83bc247002000000 7419 488b542430 4881c238020000 488b4c2420 ff15???????? }
            // n = 6, score = 100
            //   83bc247002000000     | je                  0x116
            //   7419                 | dec                 eax
            //   488b542430           | lea                 ecx, [esp + 0x68]
            //   4881c238020000       | cmp                 eax, dword ptr [esp + 0x2d8]
            //   488b4c2420           | jb                  0x106
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 373760
}
Download all Yara Rules