1. Home
  2. Software
  3. TajMahal

TajMahal

TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[1]

ID: S0467
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 June 2020
Last Modified: 15 June 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1025 从可移动介质获取数据

TajMahal has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again.[1]
Enterprise T1005 从本地系统获取数据

TajMahal has the ability to steal documents from the local system including the print spooler queue.[1]
Enterprise T1112 修改注册表

TajMahal can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers to enable document stealing.[1]
Enterprise T1129 共享模块

TajMahal has the ability to inject the LoadLibrary call template DLL into running processes.[1]
Enterprise T1115 剪贴板数据

TajMahal has the ability to steal data from the clipboard of an infected host.[1]
Enterprise T1120 外围设备发现

TajMahal has the ability to identify connected Apple devices.[1]
Enterprise T1113 屏幕捕获

TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.[1]
Enterprise T1560 .002 归档收集数据: Archive via Library

TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.[1]
Enterprise T1083 文件和目录发现

TajMahal has the ability to index files from drives, user profiles, and removable drives.[1]
Enterprise T1027 混淆文件或信息

TajMahal has used an encrypted Virtual File System to store plugins.[1]
Enterprise T1539 窃取Web会话Cookie

TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.[1]
Enterprise T1082 系统信息发现

TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.[1]
Enterprise T1124 系统时间发现

TajMahal has the ability to determine local time on a compromised host.[1]
Enterprise T1016 系统网络配置发现

TajMahal has the ability to identify the MAC address on an infected host.[1]
Enterprise T1119 自动化收集

TajMahal has the ability to index and compress files into a send queue for exfiltration.[1]
Enterprise T1020 自动化渗出

TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.[1]
Enterprise T1125 视频捕获

TajMahal has the ability to capture webcam video.[1]
Enterprise T1518 软件发现

TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host.[1]
.001 Security Software Discovery

TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.[1]
Enterprise T1056 .001 输入捕获: Keylogging

TajMahal has the ability to capture keystrokes on an infected host.[1]
Enterprise T1057 进程发现

TajMahal has the ability to identify running processes and associated plugins on an infected host.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

TajMahal has the ability to inject DLLs for malicious plugins into running processes.[1]
Enterprise T1041 通过C2信道渗出

TajMahal has the ability to send collected files over its C2.[1]
Enterprise T1123 音频捕获

TajMahal has the ability to capture VoiceIP application audio on an infected host.[1]

References

  1. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.