Added ChChes and Enfal config parsers.

README.md

@@ -31,6 +31,8 @@ Many other malware families have their payloads extracted by some of the behavio
 
 Currently CAPE has config parsers for the following malware families, whose payloads are extracted by a behavioural package:
     - HttpBrowser
+    - Enfal
+    - ChChes
 
 There are a number of other behavioural and malware family packages and parsers currently in the works, so watch this space.
 

data/yara/CAPE/ChChes.yar

@@ -0,0 +1,12 @@
+rule ChChes
+{
+    meta:
+        author = "kev"
+        description = "ChChes Payload"
+        cape_type = "ChChes Payload"
+    strings:
+        $payload1 = {55 8B EC 53 E8 ?? ?? FF FF E8 D? FF FF FF 05 ?? ?? ?? 00 33 DB 39 58 44 75 58 56 57 50 E8 57 00 00 00 59 8B F0 E8 A? FF FF FF B9 ?? ?? ?? 00 BF D0 1C ?? 00 2B CF 03 C1 39 5E 30 76 0F}
+        $payload2 = {55 8B EC E8 ?? ?? FF FF E8 D? FF FF FF 05 ?? ?? ?? 00 83 78 44 00 75 40 56 57 50 E8 3E 00 00 00 59 8B F0 6A 00 FF 76 30 E8 A8 FF FF FF B9 ?? ?? ?? 00 BF 00 1A E1 00 2B CF 03 C1 50 FF 56 70}
+    condition:
+        $payload1 or $payload2
+}

data/yara/CAPE/Enfal.yar

@@ -0,0 +1,12 @@
+rule Enfal
+{
+    meta:
+        author = "kev"
+        description = "Enfal configuration blob"
+        cape_type = "Injected Enfal Config"
+    strings:
+        $config1 = {BF 49 ?? 75 22 12 ?? 75 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C}
+
+    condition:
+        $config1
+}