ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Associated Software: Scorpion, HAYMAKER
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Scorpion [3]
HAYMAKER Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ChChes establishes persistence by adding a Registry Run key.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ChChes steals credentials stored inside Internet Explorer.[3]

Enterprise T1132 .001 Data Encoding: Standard Encoding

ChChes can encode C2 data with a custom technique that utilizes Base64.[1][2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

ChChes can encrypt C2 traffic with AES or RC4.[1][2]

Enterprise T1083 File and Directory Discovery

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

ChChes can alter the victim's proxy configuration.[3]

Enterprise T1105 Ingress Tool Transfer

ChChes is capable of downloading files, including additional modules.[1][2][4]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3]

Enterprise T1057 Process Discovery

ChChes collects its process identifier (PID) on the victim.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3]

Enterprise T1082 System Information Discovery

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3]

Groups That Use This Software

ID Name References
G0045 menuPass