{
	"id": "540708ea-bd56-4a68-9832-ff98aedb9fdb",
	"created_at": "2026-04-06T00:21:40.371743Z",
	"updated_at": "2026-04-10T13:12:01.341557Z",
	"deleted_at": null,
	"sha1_hash": "04ac2fb40ee713a77974d99880b0be850ab91d44",
	"title": "malware_analysis/TajMahal at master · TheEnergyStory/malware_analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53160,
	"plain_text": "malware_analysis/TajMahal at master ·\r\nTheEnergyStory/malware_analysis\r\nBy TheEnergyStory\r\nArchived: 2026-04-05 21:08:16 UTC\r\nProject TajMahal IOCs and Registry Data Decrypter\r\nLast year in April, Kaspersky released an article about a new complex malware framework dubbed TajMahal:\r\nhttps://securelist.com/project-tajmahal/90240/\r\nLater the same year, one of the stated samples from Kaspersky report was uploaded to Virustotal:\r\nhttps://www.virustotal.com/gui/file/0b74fc2594b25987841a7897aff323f4165519e6c26d679256cb0d282a6f0147/\r\nThe sample is a .NET assembly with obfuscated strings but self explaining code after decompilation (dnSpy or\r\nILSpy). As the names of the namespace and classes imply, the sample's main purpose is to manage the Windows\r\nservice persistency.\r\nThis repository contains the decompiled code with decoded strings (I left the deobfuscation method in the\r\ncode), extracted IOCs and a registry config data decrypter .\r\nDecompiled and Deobfuscated code\r\nAfter decompilation and string decoding we have a perfect readable C# code. See: Chaperone\r\nIOCs\r\nType Details\r\nScheduled task with\r\nname\r\nMaintenancePolicy\r\nRegistry values\r\nKey: HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\AdaptiveDisplayBrightness\r\nValue: seg0 (unknown content)\r\nValue: seg4 (contains encrypted service config data)\r\nCode oddities\r\nThe code contains two errors in the Tools class, not sure if they are caused by the decompilation engine or are\r\nactual coding errors.\r\nhttps://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal\r\nPage 1 of 3\n\n1 ) While the Enum reg key is created for the Windows service ( text2 ), it uses the before created registry path\r\nof the service itself to set the values ( text )\r\ntext2 = @\"SYSTEM\\CurrentControlSet\\Services\\\";\r\ntext2 += this.regdata.srvName;\r\ntext2 += @\"\\Enum\";\r\nusing (RegistryKey registryKey3 = Registry.LocalMachine.CreateSubKey(text))\r\n{\r\nregistryKey3.SetValue(\"0\", @\"Root\\LEGACY_SRVC\\0000\", RegistryValueKind.String);\r\nregistryKey3.SetValue(\"Count\", 1, RegistryValueKind.DWord);\r\nregistryKey3.SetValue(\"NextInstance\", 1, RegistryValueKind.DWord);\r\nregistryKey3.Close();\r\n}\r\n2 ) There is a method named DeleteTask which uses Security as a file name to delete a scheduled task. Maybe\r\nthere is a custom executable named Security.exe in the same directory with such functionality, but it's more\r\nlikely that the author wanted to use schtasks.exe according to the used arguments.\r\npublic int DeleteTask()\r\n{\r\nthis.RunProgram(\"Security\", @\"/Delete /TN \\Microsoft\\Windows\\Maintenance\\MaintenancePolicy /F\", true);\r\nreturn 0;\r\n}\r\npublic int RunProgram(string exe, string cmd, bool waitfor)\r\n{\r\nProcess process = new Process();\r\nprocess.StartInfo.FileName = exe;\r\nRegistry config data decrypter\r\nThe sample tries to get RC4 encrypted data from a registry key (see IOCs) and use that data for the service set up.\r\nI have coded a config data decryptor for those who are infected. See: tajmahal_regdata_decrypter.py\r\nConfig data description:\r\nData Explanation\r\nDisplayName\r\nPersistence service display name value under\r\n\"SYSTEM\\CurrentControlSet\\Services\u003cName\u003e\"\r\nDescription Persistence service description value under \"SYSTEM\\CurrentControlSet\\Services\u003cName\u003e\"\r\nName Persistence service name key under \"SYSTEM\\CurrentControlSet\\Services\"\r\nhttps://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal\r\nPage 2 of 3\n\nData Explanation\r\nentryPoint\r\nName in \"ServiceMain\" under \"SYSTEM\\CurrentControlSet\\Services\u003cName\u003e\\Parameters\"\r\nwhich describes the service DLL's entry point (export function name)\r\nsrvPath Unknown, likely service DLL path\r\nmarkerPath Unkown, likely infection validation file\r\ntask_name Unkown, likely scheduled task name\r\nttl Date of self destruction\r\nSource: https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal\r\nhttps://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal"
	],
	"report_names": [
		"TajMahal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434900,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04ac2fb40ee713a77974d99880b0be850ab91d44.pdf",
		"text": "https://archive.orkl.eu/04ac2fb40ee713a77974d99880b0be850ab91d44.txt",
		"img": "https://archive.orkl.eu/04ac2fb40ee713a77974d99880b0be850ab91d44.jpg"
	}
}