ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.   
Associated Software: Scorpion, HAYMAKER
Associated Software Descriptions
|HAYMAKER||Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes.  |
|Enterprise||T1116||Code Signing||ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.   |
|Enterprise||T1003||Credential Dumping||ChChes steals credentials stored inside Internet Explorer. |
|Enterprise||T1024||Custom Cryptographic Protocol||ChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4.  |
|Enterprise||T1089||Disabling Security Tools||ChChes can alter the victim's proxy configuration. |
|Enterprise||T1083||File and Directory Discovery||ChChes collects the victim's %TEMP% directory path and version of Internet Explorer. |
|Enterprise||T1036||Masquerading||ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe). |
|Enterprise||T1057||Process Discovery||ChChes collects its process identifier (PID) on the victim. |
|Enterprise||T1060||Registry Run Keys / Startup Folder||ChChes establishes persistence by adding a Registry Run key. |
|Enterprise||T1105||Remote File Copy||ChChes is capable of downloading files, including additional modules.   |
|Enterprise||T1071||Standard Application Layer Protocol||ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.  |
|Enterprise||T1032||Standard Cryptographic Protocol||ChChes can encrypt C2 traffic with AES.  |
|Enterprise||T1082||System Information Discovery||ChChes collects the victim hostname, window resolution, and Microsoft Windows version.  |
Groups That Use This Software
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.