ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [1] [2] [3]

ID: S0144
Associated Software: Scorpion, HAYMAKER
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description



Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [4] [5]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ChChes establishes persistence by adding a Registry Run key.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ChChes steals credentials stored inside Internet Explorer.[3]

Enterprise T1132 .001 Data Encoding: Standard Encoding

ChChes can encode C2 data with a custom technique that utilizes Base64.[1][2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

ChChes can encrypt C2 traffic with AES or RC4.[1][2]

Enterprise T1083 File and Directory Discovery

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.[4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

ChChes can alter the victim's proxy configuration.[3]

Enterprise T1105 Ingress Tool Transfer

ChChes is capable of downloading files, including additional modules.[1][2][4]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[3]

Enterprise T1057 Process Discovery

ChChes collects its process identifier (PID) on the victim.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.[1][2][3]

Enterprise T1082 System Information Discovery

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[1][3]

Groups That Use This Software

ID Name References
G0045 menuPass