{
	"id": "c8881744-7a4f-4a90-8e07-ecd2e619c3ac",
	"created_at": "2026-04-06T00:18:09.696534Z",
	"updated_at": "2026-04-10T13:12:58.389654Z",
	"deleted_at": null,
	"sha1_hash": "b21cf4cc90c3a92422499cf878b2876522f16233",
	"title": "ChChes – Malware that Communicates with C\u0026C Servers Using Cookie Headers - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1080446,
	"plain_text": "ChChes – Malware that Communicates with C\u0026C Servers Using\r\nCookie Headers - JPCERT/CC Eyes\r\nBy JPCERT/CC\r\nPublished: 2017-02-14 · Archived: 2026-04-05 18:27:25 UTC\r\nChChes\r\nSince around October 2016, JPCERT/CC has been confirming emails that are sent to Japanese organisations with\r\na ZIP file attachment containing executable files. The targeted emails, which impersonate existing persons, are\r\nsent from free email address services available in Japan. Also, the executable files’ icons are disguised as Word\r\ndocuments. When the recipient executes the file, the machine is infected with malware called ChChes.\r\nThis blog article will introduce characteristics of ChChes, including its communication.\r\nZIP files attached to Targeted Emails\r\nWhile some ZIP files attached to the targeted emails in this campaign contain executable files only, in some cases\r\nthey also contain dummy Word documents. Below is the example of the latter case.\r\nFigure 1: Example of an attached ZIP file\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 1 of 11\n\nIn the above example, two files with similar names are listed: a dummy Word document and an executable file\r\nwhose icon is disguised as a Word document. By running this executable file, the machine will be infected with\r\nChChes. JPCERT/CC has confirmed the executable files that have signatures of a specific code signing certificate.\r\nThe dummy Word document is harmless, and its contents are existing online articles related to the file name “Why\r\nDonald Trump won”. The details of the code signing certificate is described in Appendix A.\r\nCommunication of ChChes\r\nChChes is a type of malware that communicates with specific sites using HTTP to receive commands and\r\nmodules. There are only few functions that ChChes can execute by itself. This means it expands its functions by\r\nreceiving modules from C\u0026C servers and loading them on the memory.\r\nThe following is an example of HTTP GET request that ChChes sends. Sometimes, HEAD method is used instead\r\nof GET.\r\nGET /X4iBJjp/MtD1xyoJMQ.htm HTTP/1.1\r\nCookie: uHa5=kXFGd3JqQHMfnMbi9mFZAJHCGja0ZLs%3D;KQ=yt%2Fe(omitted)\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 2 of 11\n\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: [user agent]\r\nHost: [host name]\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAs you can see, the path for HTTP request takes /[random string].htm, however, the value for the Cookie field is\r\nnot random but encrypted strings corresponding to actual data used in the communication with C\u0026C servers. The\r\nvalue can be decrypted using the below Python script.\r\ndata_list = cookie_data.split(';')\r\ndec = []\r\nfor i in range(len(data_list)):\r\n tmp = data_list[i]\r\n pos = tmp.find(\"=\")\r\n key = tmp[0:pos]\r\n val = tmp[pos:]\r\n md5 = hashlib.md5()\r\n md5.update(key)\r\n rc4key = md5.hexdigest()[8:24]\r\n rc4 = ARC4.new(rc4key)\r\n dec.append(rc4.decrypt(val.decode(\"base64\"))[len(key):])\r\nprint(\"[*] decoded: \" + \"\".join(dec))\r\nThe following is the flow of communication after the machine is infected.\r\nFigure 2: Flow of communication\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 3 of 11\n\nThe First Request\r\nThe value in the Cookie field of the HTTP request that ChChes first sends (Request 1) contains encrypted data\r\nstarting with ‘A’. The following is an example of data sent.\r\nFigure 3: Example of the first data sent\r\nAs indicated in Figure 3, the data which is sent contains information including computer name. The format of the\r\nencrypted data differs depending on ChChes’s version. The details are specified in Appendix B.\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 4 of 11\n\nAs a response to Request 1, ChChes receives strings of an ID identifying the infected machine from C\u0026C servers\r\n(Response 1). The ID is contained in the Set-Cookie field as shown below.\r\nFigure 4: Example response to the first request\r\nRequest for Modules and Commands\r\nNext, ChChes sends an HTTP request to receive modules and commands (Request 2). At this point, the following\r\ndata starting with ‘B’ is encrypted and contained in the Cookie field.\r\nB[ID to identify the infected machine]\r\nAs a response to Request 2, encrypted modules and commands (Response 2) are sent from C\u0026C servers. The\r\nfollowing shows an example of received modules and commands after decryption.\r\nFigure 5: Decrypted data of modules and commands received\r\nCommands are sent either together with modules as a single data (as above), or by itself. Afterwards, execution\r\nresults of the received command are sent to C\u0026C servers, and it returns to the process to receive modules and\r\ncommands. This way, by repeatedly receiving commands from C\u0026C servers, the infected machines will be\r\ncontrolled remotely.\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 5 of 11\n\nJPCERT/CC’s research has confirmed modules with the following functions, which are thought to be the bot\r\nfunction of ChChes.\r\nEncrypt communication using AES\r\nExecute shell commands\r\nUpload files\r\nDownload files\r\nLoad and run DLLs\r\nView tasks of bot commands\r\nEspecially, it was confirmed that the module that encrypts the communication with AES is received in a relatively\r\nearly stage after the infection. With this feature, communication with C\u0026C servers after this point will be\r\nencrypted in AES on top of the existing encryption method.\r\nSummary\r\nChChes is a relatively new kind of malware which has been seen since around October 2016. As this may be\r\ncontinually used for targeted attacks, JPCERT/CC will keep an eye on ChChes and attack activities using the\r\nmalware.\r\nThe hash values of the samples demonstrated here are described in Appendix C. The malware’s destination hosts\r\nthat JPCERT/CC has confirmed are listed in Appendix D. We recommend that you check if your machines are\r\ncommunicating with such hosts.\r\nThanks for reading.\r\n- Yu Nakamura\r\n(Translated by Yukako Uchida)\r\nAppendix A: Code signing certificate\r\nThe code signing certificate attached to some samples are the following:\r\n$ openssl x509 -inform der -text -in mal.cer\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number:\r\n 3f:fc:eb:a8:3f:e0:0f:ef:97:f6:3c:d9:2e:77:eb:b9\r\n Signature Algorithm: sha1WithRSAEncryption\r\n Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/r\r\n Validity\r\n Not Before: Aug 5 00:00:00 2011 GMT\r\n Not After : Aug 4 23:59:59 2012 GMT\r\n Subject: C=IT, ST=Italy, L=Milan, O=HT Srl, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 6 of 11\n\nSubject Public Key Info:\r\n(Omitted)\r\nFigure 6: Code signing certificate\r\nFig6code_signing_certificate\r\nAppendix B: ChChes version\r\nThe graph below shows the relation between the version numbers of the ChChes samples that JPCERT/CC has\r\nconfirmed and the compile times obtained from their PE headers.\r\nFigure 7: Compile time for each ChChes version\r\nThe lists below describe encrypted data contained in the first HTTP request and explanation of the values for each\r\nChChes version.\r\nTable 1: Sending format of each version\r\nVersion Format\r\n1.0.0 A\u003ca\u003e*\u003cb\u003e?3618468394?\u003cc\u003e?\u003cd\u003e*\u003cf\u003e\r\n1.2.2 A\u003ca\u003e*\u003cb\u003e?3618468394?\u003cc\u003e?\u003cd\u003e*\u003cf\u003e\r\n1.3.0 A\u003ca\u003e*\u003cb\u003e?3618468394?\u003cc\u003e?\u003cd\u003e*\u003cf\u003e\r\n1.3.2 A\u003ca\u003e*\u003cb\u003e?3618468394?\u003cc\u003e?\u003cd\u003e*\u003cg\u003e\r\n1.4.0 A\u003ca\u003e*\u003cb\u003e?3618468394?\u003cc\u003e?\u003cd\u003e*\u003cg\u003e\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 7 of 11\n\nVersion Format\r\n1.4.1 A\u003ca\u003e*\u003cb\u003e?3618468394?\u003cc\u003e?\u003cd\u003e (\u003ce\u003e)*\u003cg\u003e\r\n1.6.4 A\u003ca\u003e*\u003cb\u003e*\u003ch\u003e?3618468394?\u003cc\u003e?\u003cd\u003e (\u003ce\u003e)*\u003cg\u003e\r\nTable 2: Description of \u003ca\u003e to \u003ch\u003e\r\nLetter Data Size Details\r\n\u003ca\u003e Computer name Variable Capital alphanumeric characters\r\n\u003cb\u003e Process ID Variable Capital alphanumeric characters\r\n\u003cc\u003e Path of a temp folder Variable %TEMP% value\r\n\u003cd\u003e Malware version Variable e.g. 1.4.1\r\n\u003ce\u003e Screen resolution Variable e.g. 1024x768\r\n\u003cf\u003e explorer.exe version Variable e.g. 6.1.7601.17567\r\n\u003cg\u003e kernel32.dll version Variable e.g. 6.1.7601.17514\r\n\u003ch\u003e Part of MD5 value of SID 16 bytes e.g. 0345cb0454ab14d7\r\nAppendix C: SHA-256 Hash value of the samples\r\nChChes\r\n5961861d2b9f50d05055814e6bfd1c6291b30719f8a4d02d4cf80c2e87753fa1\r\nae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145\r\n2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910\r\n19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b\r\n316e89d866d5c710530c2103f183d86c31e9a90d55e2ebc2dda94f112f3bdb6d\r\nefa0b414a831cbf724d1c67808b7483dec22a981ae670947793d114048f88057\r\ne90064884190b14a6621c18d1f9719a37b9e5f98506e28ff0636438e3282098b\r\n9a6692690c03ec33c758cb5648be1ed886ff039e6b72f1c43b23fbd9c342ce8c\r\nbc2f07066c624663b0a6f71cb965009d4d9b480213de51809cdc454ca55f1a91\r\ne6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e\r\ne88f5bf4be37e0dc90ba1a06a2d47faaeea9047fec07c17c2a76f9f7ab98acf0\r\nd26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed\r\n2965c1b6ab9d1601752cb4aa26d64a444b0a535b1a190a70d5ce935be3f91699\r\n312dc69dd6ea16842d6e58cd7fd98ba4d28eefeb4fd4c4d198fac4eee76f93c3\r\n4ff6a97d06e2e843755be8697f3324be36e1ebeb280bb45724962ce4b6710297\r\n45d804f35266b26bf63e3d616715fc593931e33aa07feba5ad6875609692efa2\r\ncb0c8681a407a76f8c0fd2512197aafad8120aa62e5c871c29d1fd2a102bc628\r\n75ef6ea0265d2629c920a6a1c0d1dd91d3c0eda86445c7d67ebb9b30e35a2a9f\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 8 of 11\n\n471b7edbd3b344d3e9f18fe61535de6077ea9fd8aa694221529a2ff86b06e856\r\nae0dd5df608f581bbc075a88c48eedeb7ac566ff750e0a1baa7718379941db86\r\n646f837a9a5efbbdde474411bb48977bff37abfefaa4d04f9fb2a05a23c6d543\r\n3d5e3648653d74e2274bb531d1724a03c2c9941fdf14b8881143f0e34fe50f03\r\n9fbd69da93fbe0e8f57df3161db0b932d01b6593da86222fabef2be31899156d\r\n723983883fc336cb575875e4e3ff0f19bcf05a2250a44fb7c2395e564ad35d48\r\nf45b183ef9404166173185b75f2f49f26b2e44b8b81c7caf6b1fc430f373b50b\r\nAppendix D: List of communication destination\r\narea.wthelpdesk.com\r\ndick.ccfchrist.com\r\nkawasaki.cloud-maste.com\r\nkawasaki.unhamj.com\r\nsakai.unhamj.com\r\nscorpion.poulsenv.com\r\ntrout.belowto.com\r\nzebra.wthelpdesk.com\r\nhamiltion.catholicmmb.com\r\ngavin.ccfchrist.com\r\nJPCERT/CC\r\nPlease use the below contact form for any inquiries about the article.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 9 of 11\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 10 of 11\n\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html"
	],
	"report_names": [
		"chches-malware--93d6.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b21cf4cc90c3a92422499cf878b2876522f16233.pdf",
		"text": "https://archive.orkl.eu/b21cf4cc90c3a92422499cf878b2876522f16233.txt",
		"img": "https://archive.orkl.eu/b21cf4cc90c3a92422499cf878b2876522f16233.jpg"
	}
}