The sub-techniques beta is now live! Read the release blog post for more info.


ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Associated Software: Scorpion, HAYMAKER
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Associated Software Descriptions

Name Description
Scorpion [3]
HAYMAKER Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3]

Enterprise T1003 Credential Dumping

ChChes steals credentials stored inside Internet Explorer.[3]

Enterprise T1024 Custom Cryptographic Protocol

ChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4.[1][2]

Enterprise T1089 Disabling Security Tools

ChChes can alter the victim's proxy configuration.[3]

Enterprise T1083 File and Directory Discovery

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4]

Enterprise T1036 Masquerading

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3]

Enterprise T1057 Process Discovery

ChChes collects its process identifier (PID) on the victim.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

ChChes establishes persistence by adding a Registry Run key.[3]

Enterprise T1105 Remote File Copy

ChChes is capable of downloading files, including additional modules.[1][2][4]

Enterprise T1071 Standard Application Layer Protocol

ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2]

Enterprise T1032 Standard Cryptographic Protocol

ChChes can encrypt C2 traffic with AES.[1][2]

Enterprise T1082 System Information Discovery

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3]

Groups That Use This Software

ID Name References
G0045 menuPass [3]