ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Associated Software: Scorpion, HAYMAKER
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Scorpion [3]
HAYMAKER Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3]
Enterprise T1003 Credential Dumping ChChes steals credentials stored inside Internet Explorer.[3]
Enterprise T1024 Custom Cryptographic Protocol ChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4.[1][2]
Enterprise T1089 Disabling Security Tools ChChes can alter the victim's proxy configuration.[3]
Enterprise T1083 File and Directory Discovery ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4]
Enterprise T1036 Masquerading ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3]
Enterprise T1057 Process Discovery ChChes collects its process identifier (PID) on the victim.[1]
Enterprise T1060 Registry Run Keys / Startup Folder ChChes establishes persistence by adding a Registry Run key.[3]
Enterprise T1105 Remote File Copy ChChes is capable of downloading files, including additional modules.[1][2][4]
Enterprise T1071 Standard Application Layer Protocol ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2]
Enterprise T1032 Standard Cryptographic Protocol ChChes can encrypt C2 traffic with AES.[1][2]
Enterprise T1082 System Information Discovery ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3]


Groups that use this software: