Register to stream ATT&CKcon 2.0 October 29-30


ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Associated Software: Scorpion, HAYMAKER
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Scorpion [3]
HAYMAKER Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked. [1] [2] [3]
Enterprise T1003 Credential Dumping ChChes steals credentials stored inside Internet Explorer. [3]
Enterprise T1024 Custom Cryptographic Protocol ChChes can encrypt C2 data with a custom technique using MD5, base64-encoding, and RC4. [1] [2]
Enterprise T1089 Disabling Security Tools ChChes can alter the victim's proxy configuration. [3]
Enterprise T1083 File and Directory Discovery ChChes collects the victim's %TEMP% directory path and version of Internet Explorer. [4]
Enterprise T1036 Masquerading ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe). [3]
Enterprise T1057 Process Discovery ChChes collects its process identifier (PID) on the victim. [1]
Enterprise T1060 Registry Run Keys / Startup Folder ChChes establishes persistence by adding a Registry Run key. [3]
Enterprise T1105 Remote File Copy ChChes is capable of downloading files, including additional modules. [1] [2] [4]
Enterprise T1071 Standard Application Layer Protocol ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header. [1] [2]
Enterprise T1032 Standard Cryptographic Protocol ChChes can encrypt C2 traffic with AES. [1] [2]
Enterprise T1082 System Information Discovery ChChes collects the victim hostname, window resolution, and Microsoft Windows version. [1] [3]

Groups That Use This Software

ID Name References
G0045 menuPass [3]