ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.   
Associated Software: Scorpion, HAYMAKER
Associated Software Descriptions
|HAYMAKER||Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes.  |
|Enterprise||T1024||Custom Cryptographic Protocol|
|Enterprise||T1089||Disabling Security Tools|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1060||Registry Run Keys / Startup Folder|
|Enterprise||T1105||Remote File Copy|
|Enterprise||T1071||Standard Application Layer Protocol|
|Enterprise||T1032||Standard Cryptographic Protocol|
|Enterprise||T1082||System Information Discovery|
Groups That Use This Software
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.