Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

ChChes

ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)
ID: S0144
Associated Software: Scorpion HAYMAKER
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 12 Sep 2024

Associated Software Descriptions

Name Description
Scorpion (Citation: PWC Cloud Hopper Technical Annex April 2017)
HAYMAKER Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ChChes establishes persistence by adding a Registry Run key.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ChChes steals credentials stored inside Internet Explorer.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Enterprise T1132 .001 Data Encoding: Standard Encoding

ChChes can encode C2 data with a custom technique that utilizes Base64.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

ChChes can encrypt C2 traffic with AES or RC4.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

ChChes can alter the victim's proxy configuration.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).(Citation: PWC Cloud Hopper Technical Annex April 2017)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)

Groups That Use This Software

ID Name References
G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.