Skip to content

S0144 ChChes

ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. 1 2 3

Item Value
ID S0144
Associated Names Scorpion, HAYMAKER
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Scorpion 3
HAYMAKER Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. 4 5

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ChChes establishes persistence by adding a Registry Run key.3
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers ChChes steals credentials stored inside Internet Explorer.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding ChChes can encode C2 data with a custom technique that utilizes Base64.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography ChChes can encrypt C2 traffic with AES or RC4.12
enterprise T1083 File and Directory Discovery ChChes collects the victim’s %TEMP% directory path and version of Internet Explorer.4
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools ChChes can alter the victim’s proxy configuration.3
enterprise T1105 Ingress Tool Transfer ChChes is capable of downloading files, including additional modules.124
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).3
enterprise T1057 Process Discovery ChChes collects its process identifier (PID) on the victim.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.123
enterprise T1082 System Information Discovery ChChes collects the victim hostname, window resolution, and Microsoft Windows version.13

Groups That Use This Software

ID Name References
G0045 menuPass 3


Back to top