ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Aliases: ChChes, Scorpion, HAYMAKER
Platforms: Windows

Version: 1.0

Alias Descriptions

ChChes[1] [2] [3]
HAYMAKERBased on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

EnterpriseT1116Code SigningChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3]
EnterpriseT1003Credential DumpingChChes steals credentials stored inside Internet Explorer.[3]
EnterpriseT1024Custom Cryptographic ProtocolChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4.[1][2]
EnterpriseT1089Disabling Security ToolsChChes can alter the victim's proxy configuration.[3]
EnterpriseT1083File and Directory DiscoveryChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4]
EnterpriseT1036MasqueradingChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3]
EnterpriseT1057Process DiscoveryChChes collects its process identifier (PID) on the victim.[1]
EnterpriseT1060Registry Run Keys / Startup FolderChChes establishes persistence by adding a Registry Run key.[3]
EnterpriseT1105Remote File CopyChChes is capable of downloading files, including additional modules.[1][2][4]
EnterpriseT1071Standard Application Layer ProtocolChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2]
EnterpriseT1032Standard Cryptographic ProtocolChChes can encrypt C2 traffic with AES.[1][2]
EnterpriseT1082System Information DiscoveryChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3]


Groups that use this software: