def test_hash_lookup(self):
h = HashList()
self.assertEqual(None, h.md5)
self.assertEqual(None, h.sha1)
self.assertEqual(None, h.sha224)
self.assertEqual(None, h.sha256)
self.assertEqual(None, h.sha384)
self.assertEqual(None, h.sha512)
def test_namespace_count(self):
h = HashList()
h.append(EMPTY_MD5)
h.append(EMPTY_SHA1)
h.append(EMPTY_SHA224)
h.append(EMPTY_SHA256)
h.append(EMPTY_SHA384)
h.append(EMPTY_SHA512)
print h.to_xml()
ns_list = cybox.test.round_trip(h, list_=True)._get_namespaces()
print ns_list
# Only "common" and "vocabs" should be here. "xsi" is only added later
self.assertEqual(2, len(ns_list))
def test_hashlist_set_get(self):
md5_hash = "25BA4574F3090456C1AAE37F4D2D59B8"
sha256_hash = "B64C18B336A8319EFAC43FE5E6DB78B0969E696C1C149BA56CFD69CE72F1898F"
sha512_hash = "2A3459EE6C2FC3D7533F2D1AF6963A21337552D4ACD52D76A09B53BF36A27C3C357F1B41952582CFD0EDC7F8AEFC6DC939C38DF4CCED0F57320AB3480EC042D9"
ssdeep_hash = "3:AXGBicFlgVNhBGcL6wCrFQEv:AXGHsNhxLsr2C"
h = HashList()
h.ssdeep = ssdeep_hash
h.md5 = md5_hash
h.sha256 = sha256_hash
h.sha512 = sha512_hash
self.assertEqual(h.md5, md5_hash)
self.assertEqual(h.sha256, sha256_hash)
self.assertEqual(h.sha512, sha512_hash)
self.assertEqual(h.ssdeep, ssdeep_hash)
def tool_hashes(self):
if self._tool_hashes is None:
self._tool_hashes = HashList()
return self._tool_hashes
def map_attribtue(self, instance, attribute):
definition_name = attribute.definition.name
if hasattr(instance, definition_name.lower()):
setattr(instance, definition_name.lower(), attribute.value)
value = getattr(instance, definition_name.lower())
value.condition = self.get_condition(attribute)
else:
if 'hash' in definition_name:
if attribute.condition.value:
if attribute.condition.value:
if attribute.condition.value == "Equals":
exact = True
else:
exact = False
else:
exact = False
else:
exact = True
h = Hash(attribute.value, exact=exact)
h.condition = attribute.condition
if instance.hashes is None:
instance.hashes = HashList()
instance.hashes.append(h)
pass
elif 'email' in definition_name:
self.populate_email(instance, attribute)
elif definition_name == 'url':
instance.type_ = URI.TYPE_URL
instance.value = attribute.value
instance.value.condition = self.get_condition(attribute)
elif 'Full_Path' and isinstance(instance, Process):
# TODO: check why this is set?!?
pass
elif definition_name == 'WindowsRegistryKey_Key':
instance.key = attribute.value
instance.key.condition = self.get_condition(attribute)
elif definition_name == 'WindowsRegistryKey_Hive':
instance.hive = attribute.value
instance.hive.condition = self.get_condition(attribute)
elif 'WindowsRegistryKey_RegistryValue' in definition_name:
value = RegistryValue()
if definition_name == 'WindowsRegistryKey_RegistryValue_Data':
value.data = attribute.value
value.data.condition = self.get_condition(attribute)
elif definition_name == 'WindowsRegistryKey_RegistryValue_Data':
value.name = attribute.value
value.name.condition = self.get_condition(attribute)
if not instance.values:
instance.values = RegistryValues()
instance.values.append(value)
instance.data = attribute.value
elif definition_name == 'ipv4_addr':
instance.category = definition_name.replace('_', '-')
instance.address_value = attribute.value
instance.address_value.condition = self.get_condition(
attribute)
elif definition_name == 'DomainName_Value':
instance.value = attribute.value
elif definition_name == 'Raw_Artifact':
path = '{0}/{1}'.format(self.fh.get_base_path(),
attribute.value)
if isfile(path):
with open(path, 'r') as f:
bin_string = f.read()
instance.data = bin_string
# TODO find the corect type
instance.type_ = Artifact.TYPE_GENERIC
instance.packaging.append(Base64Encoding())
else:
instance.data = 'MIA'
instance.type_ = Artifact.TYPE_GENERIC
instance.packaging.append(Base64Encoding())
elif definition_name == 'content_type':
instance.type_ = attribute.value
elif definition_name == 'URIType':
instance.type_ = attribute.value
elif not attribute.definition.cybox_std:
self.add_custom_property(instance, attribute)
elif isinstance(instance,
NetworkConnection) and definition_name in [
'is_type', 'Port'
]:
# TODO: check why this is set?!?
pass
else:
raise Ce1susStixMapperException(
'Cannot map {1} on object type {0}'.format(
instance.__class__.__name__, definition_name))
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
def add_hash(self, hash_):
if hash_ is not None:
if self.hashes is None:
self.hashes = HashList()
self.hashes.append(hash_)
def sha512(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha512 = value
def sha384(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha384 = value
def sha256(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.sha256 = value
def md5(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.md5 = value
def merge_binned_malware_subjects(merged_malware_subject, binned_list,
id_mappings_dict):
'''Merge a list of input binned (related) Malware Subjects'''
# Merge the Malware_Instance_Object_Attributes
mal_inst_obj_list = [
x.malware_instance_object_attributes for x in binned_list
]
merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list))
# Give the merged Object a new ID
merged_inst_obj.id_ = idgen.create_id('object')
# Deduplicate the hash values, if they exist
if merged_inst_obj.properties and merged_inst_obj.properties.hashes:
hashes = merged_inst_obj.properties.hashes
hashes = HashList(
deduplicate_vocabulary_list(hashes,
value_name='simple_hash_value'))
hashes = HashList(
deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value'))
merged_inst_obj.properties.hashes = hashes
# Merge and deduplicate the labels
merged_labels = list(
itertools.chain(*[x.label for x in binned_list if x.label]))
deduplicated_labels = deduplicate_vocabulary_list(merged_labels)
# Merge the configuration details
config_details_list = [
x.configuration_details for x in binned_list if x.configuration_details
]
merged_config_details = None
if config_details_list:
merged_config_details = MalwareConfigurationDetails.from_dict(
merge_entities(config_details_list))
# Merge the minor variants
merged_minor_variants = list(
itertools.chain(
*[x.minor_variants for x in binned_list if x.minor_variants]))
# Merge the field data # TODO: Add support. Not implemented in the APIs.
# Merge the analyses
merged_analyses = list(
itertools.chain(*[x.analyses for x in binned_list if x.analyses]))
# Merge the findings bundles
merged_findings_bundles = merge_findings_bundles(
[x.findings_bundles for x in binned_list if x.findings_bundles])
# Merge the relationships
merged_relationships = list(
itertools.chain(
*[x.relationships for x in binned_list if x.relationships]))
# Merge the compatible platforms
merged_compatible_platforms = list(
itertools.chain(*[
x.compatible_platform for x in binned_list if x.compatible_platform
]))
# Build the merged Malware Subject
merged_malware_subject.malware_instance_object_attributes = merged_inst_obj
if deduplicated_labels: merged_malware_subject.label = deduplicated_labels
if merged_config_details:
merged_malware_subject.configuration_details = merged_config_details
if merged_minor_variants:
merged_malware_subject.minor_variants = MinorVariants(
merged_minor_variants)
if merged_analyses:
merged_malware_subject.analyses = Analyses(merged_analyses)
if merged_findings_bundles:
merged_malware_subject.findings_bundles = merged_findings_bundles
if merged_relationships:
merged_malware_subject.relationships = MalwareSubjectRelationshipList(
merged_relationships)
if merged_compatible_platforms:
merged_malware_subject.compatible_platform = merged_compatible_platforms
exports.exported_functions = PEExportedFunctions() exports.exports_time_stamp = DateTime() exports.name = String() exports.number_of_addresses = Long() exports.number_of_functions = Integer() exports.number_of_names = Long() # The Extraneous_Bytes field specifies the number of extraneous bytes contained in the PE binary. extraneous_bytes = Integer() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEHeaders headers = PEHeaders() headers.dos_header = DOSHeader() headers.entropy = Entropy() headers.file_header = PEFileHeader() headers.hashes = HashList() headers.optional_header = PEOptionalHeader() headers.signature = HexBinary() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEImportList imports = PEImportList() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEChecksum pe_checksum = PEChecksum() pe_checksum.pe_computed_api = Long() pe_checksum.pe_file_api = Long() pe_checksum.pe_file_raw = Long() # https://cybox.readthedocs.org/en/stable/_modules/cybox/objects/win_executable_file_object.html#PEResourceList resources = PEResourceList()
def ssdeep(self, value):
if self.hashes is None:
self.hashes = HashList()
self.hashes.ssdeep = value
