def from_obj(action_argument_obj):
if not action_argument_obj:
return None
action_argument_ = ActionArgument()
action_argument_.argument_name = VocabString.from_obj(action_argument_obj.get_Argument_Name())
action_argument_.argument_value = action_argument_obj.get_Argument_Value()
return action_argument_
def from_dict(action_relationship_dict):
if not action_relationship_dict:
return None
action_relationship_ = ActionRelationship()
action_relationship_.type = VocabString.from_dict(action_relationship_dict.get('type'))
action_relationship_.action_references = [ActionReference.from_dict(x) for x in action_relationship_dict.get('action_reference')]
return action_relationship_
def from_obj(malware_subject_relationship_obj):
if not malware_subject_relationship_obj:
return None
malware_subject_relationship_ = MalwareSubjectRelationship()
malware_subject_relationship_.type = VocabString.from_obj(malware_subject_relationship_obj.get_Type())
malware_subject_relationship_.malware_subject_references = [MalwareSubjectReference.from_obj(x) for x in malware_subject_relationship_obj.get_Malware_Subject_Reference()]
return malware_subject_relationship_
def from_obj(action_relationship_obj):
if not action_relationship_obj:
return None
action_relationship_ = ActionRelationship()
action_relationship_.type = VocabString.from_obj(action_relationship_obj.Type)
action_relationship_.action_references = [ActionReference.from_obj(x) for x in action_relationship_obj.Action_Reference]
return action_relationship_
def from_obj(action_relationship_obj):
if not action_relationship_obj:
return None
action_relationship_ = ActionRelationship()
action_relationship_.type = VocabString.from_obj(action_relationship_obj.get_Type())
action_relationship_.action_references = [ActionReference.from_obj(x) for x in action_relationship_obj.get_Action_Reference()]
return action_relationship_
def from_obj(capability_property_obj):
if not capability_property_obj:
return None
capability_property_ = CapabilityProperty()
capability_property_.name = VocabString.from_obj(capability_property_obj.get_Name())
capability_property_.value = String.from_obj(capability_property_obj.get_Value())
return capability_property_
def from_dict(action_relationship_dict):
if not action_relationship_dict:
return None
action_relationship_ = ActionRelationship()
action_relationship_.type = VocabString.from_dict(action_relationship_dict.get('type'))
action_relationship_.action_references = [ActionReference.from_dict(x) for x in action_relationship_dict.get('action_reference', [])]
return action_relationship_
def from_obj(mal_conf_param_obj):
if not mal_conf_param_obj:
return None
mal_conf_param_ = MalwareConfigurationParameter()
mal_conf_param_.name = VocabString.from_obj(mal_conf_param_obj.get_Name())
if mal_conf_param_obj.get_Value(): mal_conf_param_.value = mal_conf_param_obj.get_Value()
return mal_conf_param_
def from_dict(capability_property_dict):
if not capability_property_obj:
return None
capability_property_ = CapabilityProperty()
capability_property_.name = VocabString.from_dict(capability_property_dict["name"])
capability_property_.value = String.from_dict(capability_property_dict["value"])
return capability_property_
def test_nonstandard_type_vocab(self):
ar = ActionRelationship()
ar.type = VocabString(u("AddedMultipleTimes"))
ar.type.vocab_reference = "http://example.com/action-types/"
ar.type.xsi_type = None
ar2 = round_trip(ar)
self.assertEqual(ar.to_dict(), ar2.to_dict())
def from_dict(mal_conf_param_dict):
if not mal_conf_param_dict:
return None
mal_conf_param_ = MalwareConfigurationParameter()
mal_conf_param_.name = VocabString.from_dict(mal_conf_param_dict['name'])
if mal_conf_param_dict.get('value'): mal_conf_param_.value = mal_conf_param_dict['value']
return mal_conf_param_
def from_dict(malware_subject_relationship_dict):
if not malware_subject_relationship_dict:
return None
malware_subject_relationship_ = MalwareSubjectRelationship()
malware_subject_relationship_.type = VocabString.from_dict(malware_subject_relationship_dict.get('type'))
malware_subject_relationship_.malware_subject_references = [MalwareSubjectReference.from_dict(x) for x in malware_subject_relationship_dict.get('malware_subject_references', [])]
return malware_subject_relationship_
def from_dict(action_argument_dict):
if not action_argument_dict:
return None
action_argument_ = ActionArgument()
action_argument_.argument_name = VocabString.from_dict(action_argument_dict.get('argument_name'))
action_argument_.argument_value = action_argument_dict.get('argument_value')
return action_argument_
def from_dict(capability_property_dict):
if not capability_property_dict:
return None
capability_property_ = CapabilityProperty()
capability_property_.name = VocabString.from_dict(capability_property_dict['name'])
capability_property_.value = String.from_dict(capability_property_dict['value'])
return capability_property_
def from_obj(mal_binary_obfusc_alg_obj):
if not mal_binary_obfusc_alg_obj:
return None
mal_binary_obfusc_alg_ = MalwareConfigurationObfuscationAlgorithm()
mal_binary_obfusc_alg_.ordinal_position = mal_binary_obfusc_alg_obj.get_ordinal_position()
mal_binary_obfusc_alg_.key = mal_binary_obfusc_alg_obj.get_Key()
mal_binary_obfusc_alg_.algorithm_name = VocabString.from_obj(mal_binary_obfusc_alg_obj.get_Algorithm_name())
return mal_binary_obfusc_alg_
def from_dict(mal_binary_obfusc_alg_dict):
if not mal_binary_obfusc_alg_dict:
return None
mal_binary_obfusc_alg_ = MalwareConfigurationObfuscationAlgorithm()
if mal_binary_obfusc_alg_dict['ordinal_position']: mal_binary_obfusc_alg_.ordinal_position = mal_binary_obfusc_alg_dict['ordinal_position']
if mal_binary_obfusc_alg_dict['key']: mal_binary_obfusc_alg_.key = mal_binary_obfusc_alg_dict['key']
mal_binary_obfusc_alg_.algorithm_name = VocabString.from_dict(mal_binary_obfusc_alg_dict['algorithm_name'])
return mal_binary_obfusc_alg_
def from_dict(capability_rel_dict):
if not capability_rel_dict:
return None
capability_rel_ = CapabilityRelationship()
capability_rel_.relationship_type = VocabString.from_dict(capability_rel_dict['relationship_type'])
if capability_rel_dict['capability_reference']:
capability_rel_.capability_reference = [CapabilityReference.from_dict(x) for x in capability_rel_dict['capability_reference']]
return capability_rel_
def from_obj(capability_rel_obj):
if not capability_rel_obj:
return None
capability_rel_ = CapabilityRelationship()
capability_rel_.relationship_type = VocabString.from_obj(capability_rel_obj.get_Relationship_Type())
if capability_rel_obj.get_Capability_Reference():
capability_rel_.capability_reference = [CapabilityReference.from_obj(x) for x in capability_rel_obj.get_Capability_Reference()]
return capability_rel_
def from_dict(malware_entity_dict):
if not malware_entity_dict:
return None
malware_entity_ = MalwareEntity()
malware_entity_.type = VocabString.from_dict(malware_entity_dict.get('type'))
malware_entity_.name = malware_entity_dict.get('name')
malware_entity_.description = malware_entity_dict.get('description')
return malware_entity_
def from_obj(measure_source_obj):
if not measure_source_obj:
return None
measure_source_ = MeasureSource()
measure_source_.class_ = measure_source_obj.get_class()
measure_source_.source_type = measure_source_obj.get_source_type()
measure_source_.name = measure_source_obj.get_name()
measure_source_.information_source_type = VocabString.from_obj(measure_source_obj.get_Information_Source_Type())
measure_source_.tool_type = VocabString.from_obj(measure_source_obj.get_Tool_Type())
measure_source_.description = StructuredText.from_obj(measure_source_obj.get_Description())
measure_source_.contributors = Personnel.from_obj(measure_source_obj.get_Contributors())
measure_source_.time = Time.from_obj(measure_source_obj.get_Time())
measure_source_.tools = ToolInformationList.from_obj(measure_source_obj.get_Tools())
measure_source_.platform = None #TODO: add support
measure_source_.system = ObjectProperties.from_obj(measure_source_obj.get_System())
measure_source_.instance = ObjectProperties.from_obj(measure_source_obj.get_Instance())
return measure_source_
def from_dict(measure_source_dict):
if not measure_source_dict:
return None
measure_source_ = MeasureSource()
measure_source_.class_ = measure_source_dict.get('class')
measure_source_.source_type = measure_source_dict.get('source_type')
measure_source_.name = measure_source_dict.get('name')
measure_source_.information_source_type = VocabString.from_dict(measure_source_dict.get('information_source_type'))
measure_source_.tool_type = VocabString.from_dict(measure_source_dict.get('tool_type'))
measure_source_.description = StructuredText.from_dict(measure_source_dict.get('description'))
measure_source_.contributors = Personnel.from_list(measure_source_dict.get('contributors'))
measure_source_.time = Time.from_dict(measure_source_dict.get('time'))
measure_source_.tools = ToolInformationList.from_list(measure_source_dict.get('tools'))
measure_source_.platform = None #TODO: add support
measure_source_.system = ObjectProperties.from_dict(measure_source_dict.get('system'))
measure_source_.instance = ObjectProperties.from_dict(measure_source_dict.get('instance'))
return measure_source_
def from_obj(malware_entity_obj):
if not malware_entity_obj:
return None
malware_entity_ = MalwareEntity()
malware_entity_.type = VocabString.from_obj(malware_entity_obj.get_Type())
malware_entity_.name = malware_entity_obj.get_Name()
malware_entity_.description = malware_entity_obj.get_Description()
return malware_entity_
def from_dict(grouping_relationship_dict):
if not grouping_relationship_dict:
return None
grouping_relationship_ = GroupingRelationship()
grouping_relationship_.type = VocabString.from_dict(grouping_relationship_dict.get('type'))
grouping_relationship_.malware_family_name = grouping_relationship_dict.get('malware_family_name')
grouping_relationship_.malware_toolkit_name = grouping_relationship_dict.get('malware_toolkit_name')
grouping_relationship_.clustering_metadata = ClusteringMetadata.from_dict(grouping_relationship_dict.get('clustering_metadata'))
return grouping_relationship_
def from_obj(grouping_relationship_obj):
if not grouping_relationship_obj:
return None
grouping_relationship_ = GroupingRelationship()
grouping_relationship_.type = VocabString.from_obj(grouping_relationship_obj.get_Type())
grouping_relationship_.malware_family_name = grouping_relationship_obj.get_Malware_Family_Name()
grouping_relationship_.malware_toolkit_name = grouping_relationship_obj.get_Malware_Toolkit_Name()
grouping_relationship_.clustering_metadata = ClusteringMetadata.from_obj(grouping_relationship_obj.get_Clustering_Metadata())
return grouping_relationship_
def test_xsi_type_unicode(self):
string = u"test\u2010value"
vocab_dict = {"value": string, "condition": u"Equals", "xsi:type": u"some_xsi_type"}
vocab_dict2 = cybox.test.round_trip_dict(VocabString, vocab_dict)
self.assertEqual(vocab_dict, vocab_dict2)
xml = VocabString.from_dict(vocab_dict).to_xml()
string_utf8 = string.encode("utf-8")
self.assertTrue(string_utf8 in xml)
def from_dict(capability_obj_rel_dict):
if not capability_obj_rel_dict:
return None
capability_obj_rel_ = CapabilityRelationship()
capability_obj_rel_.relationship_type = VocabString.from_dict(capability_obj_rel_dict["relationship_type"])
if capability_obj_rel_dict["objective_reference"]:
capability_obj_rel_.objective_reference = [
CapabilityObjectiveReference.from_dict(x) for x in capability_obj_rel_dict["objective_reference"]
]
return capability_obj_rel_
def from_obj(relobj_obj):
if not relobj_obj:
return None
relobj = RelatedObject()
Object.from_obj(relobj_obj, relobj)
relobj.relationship = VocabString.from_obj(relobj_obj.Relationship)
if relobj.idref:
relobj._inline = True
return relobj
def from_dict(relobj_dict):
if not relobj_dict:
return None
relobj = RelatedObject()
Object.from_dict(relobj_dict, relobj)
relobj.relationship = VocabString.from_dict(relobj_dict.get('relationship'))
if relobj.idref:
relobj._inline = True
return relobj
def from_obj(relobj_obj):
if not relobj_obj:
return None
relobj = RelatedObject()
Object.from_obj(relobj_obj, relobj)
relobj.relationship = VocabString.from_obj(relobj_obj.Relationship)
if relobj.idref:
relobj._inline = True
return relobj
def from_dict(relobj_dict):
if not relobj_dict:
return None
relobj = RelatedObject()
Object.from_dict(relobj_dict, relobj)
relobj.relationship = VocabString.from_dict(relobj_dict.get('relationship'))
if relobj.idref:
relobj._inline = True
return relobj
def from_dict(action_dict, action_cls = None):
if not action_dict:
return None
if action_cls == None:
action_cls = Action()
action_ = action_cls
action_.id = action_dict.get('id')
action_.idref = action_dict.get('idref')
action_.ordinal_position = action_dict.get('ordinal_position')
action_.action_status = action_dict.get('action_status')
action_.context = action_dict.get('context')
action_.timestamp = action_dict.get('timestamp')
action_.type = VocabString.from_dict(action_dict.get('type'))
action_.name = VocabString.from_dict(action_dict.get('name'))
action_.description = StructuredText.from_dict(action_dict.get('description'))
action_.action_aliases = action_dict.get('action_aliases', [])
action_.action_arguments = ActionArguments.from_list(action_dict.get('action_arguments', []))
action_.discovery_method = MeasureSource.from_dict(action_dict.get('discovery_method'))
action_.associated_objects = AssociatedObjects.from_list(action_dict.get('associated_objects', []))
action_.relationships = ActionRelationships.from_list(action_dict.get('relationships', []))
#action_.frequency = Frequency.from_dict(action_dict.get('frequency')) #TODO: add support
return action_
def test_xsi_type_unicode(self):
string = u("test\u2010value")
vocab_dict = {
'value': string,
'condition': u("Equals"),
'xsi:type': u("some_xsi_type"),
}
vocab_dict2 = cybox.test.round_trip_dict(VocabString, vocab_dict)
self.assertEqual(vocab_dict, vocab_dict2)
xml = VocabString.from_dict(vocab_dict).to_xml()
string_utf8 = string.encode("utf-8")
self.assertTrue(string_utf8 in xml)
def test_xsi_type_unicode(self):
string = u("test\u2010value")
vocab_dict = {
'value': string,
'condition': u("Equals"),
'xsi:type': u("some_xsi_type"),
}
vocab_dict2 = cybox.test.round_trip_dict(VocabString, vocab_dict)
self.assertEqual(vocab_dict, vocab_dict2)
xml = VocabString.from_dict(vocab_dict).to_xml()
string_utf8 = string.encode("utf-8")
self.assertTrue(string_utf8 in xml)
def from_dict(candidate_indicator_dict):
if not candidate_indicator_dict:
return None
candidate_indicator_ = CandidateIndicator()
candidate_indicator_.id = candidate_indicator_dict.get('id')
candidate_indicator_.creation_datetime = candidate_indicator_dict.get('creation_datetime')
candidate_indicator_.version = candidate_indicator_dict.get('version')
candidate_indicator_.importance = VocabString.from_dict(candidate_indicator_dict.get('importance'))
candidate_indicator_.numeric_importance = candidate_indicator_dict.get('numeric_importance')
candidate_indicator_.author = candidate_indicator_dict.get('author')
candidate_indicator_.description = candidate_indicator_dict.get('description')
candidate_indicator_.malware_entity = MalwareEntity.from_dict(candidate_indicator_dict.get('malware_entity'))
candidate_indicator_.composition = CandidateIndicatorComposition.from_dict(candidate_indicator_dict.get('composition'))
return candidate_indicator_
def from_obj(candidate_indicator_obj):
if not candidate_indicator_obj:
return None
candidate_indicator_ = CandidateIndicator()
candidate_indicator_.id = candidate_indicator_obj.get_id()
candidate_indicator_.creation_datetime = candidate_indicator_obj.get_creation_datetime()
candidate_indicator_.version = candidate_indicator_obj.get_version()
candidate_indicator_.importance = VocabString.from_obj(candidate_indicator_obj.get_Importance())
candidate_indicator_.numeric_importance = candidate_indicator_obj.get_Numeric_Importance()
candidate_indicator_.author = candidate_indicator_obj.get_Author()
candidate_indicator_.description = candidate_indicator_obj.get_Description()
candidate_indicator_.malware_entity = MalwareEntity.from_obj(candidate_indicator_obj.get_Malware_Entity())
candidate_indicator_.composition = CandidateIndicatorComposition.from_obj(candidate_indicator_obj.get_Composition())
return candidate_indicator_
def from_obj(action_obj, action_cls = None):
if not action_obj:
return None
if action_cls == None:
action_cls = Action()
action_ = action_cls
action_.id = action_obj.get_id()
action_.idref = action_obj.get_idref()
action_.ordinal_position = action_obj.get_ordinal_position()
action_.action_status = action_obj.get_action_status()
action_.context = action_obj.get_context()
action_.timestamp = action_obj.get_timestamp()
action_.type = VocabString.from_obj(action_obj.get_Type())
action_.name = VocabString.from_obj(action_obj.get_Name())
action_.description = StructuredText.from_obj(action_obj.get_Description())
if action_obj.get_Action_Arguments() is not None: action_.action_arguments = ActionArguments.from_obj(action_obj.get_Action_Arguments())
action_.discovery_method = MeasureSource.from_obj(action_obj.get_Discovery_Method())
if action_obj.get_Associated_Objects() is not None : action_.associated_objects = AssociatedObjects.from_obj(action_obj.get_Associated_Objects())
if action_obj.get_Relationships() is not None : action_.relationships = ActionRelationships.from_obj(action_obj.get_Relationships())
#action_.frequency = Frequency.from_dict(action_dict.get('frequency')) #TODO: add support
if action_obj.get_Action_Aliases() is not None :
action_.action_aliases = action_obj.get_Action_Aliases().get_Action_Alias()
return action_
class Hash(entities.Entity):
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
type_ = VocabField("Type", HashName)
simple_hash_value = fields.TypedField("Simple_Hash_Value",
HexBinary,
postset_hook=_set_hash_type)
fuzzy_hash_value = fields.TypedField("Fuzzy_Hash_Value", String)
TYPE_MD5 = u("MD5")
TYPE_MD6 = u("MD6")
TYPE_SHA1 = u("SHA1")
TYPE_SHA224 = u("SHA224")
TYPE_SHA256 = u("SHA256")
TYPE_SHA384 = u("SHA384")
TYPE_SHA512 = u("SHA512")
TYPE_SSDEEP = u("SSDEEP")
TYPE_OTHER = VocabString(u("Other"))
def __init__(self, hash_value=None, type_=None, exact=False):
"""Create a new Hash Object
If exact=True, add 'condition="Equals"' to the hash value and type.
"""
super(Hash, self).__init__()
# Set type_ first so that auto-typing will work.
self.type_ = type_
if self.type_ == self.TYPE_SSDEEP:
self.fuzzy_hash_value = hash_value
else:
self.simple_hash_value = hash_value
if exact:
if self.simple_hash_value:
self.simple_hash_value.condition = "Equals"
if self.type_:
self.type_.condition = "Equals"
def __str__(self):
if self.type_ == self.TYPE_SSDEEP:
return str(self.fuzzy_hash_value)
else:
return str(self.simple_hash_value)
def from_obj(toolinfo_obj, toolinfo=None):
if not toolinfo_obj:
return None
if not toolinfo:
toolinfo = ToolInformation()
toolinfo.id_ = toolinfo_obj.id
toolinfo.idref = toolinfo_obj.idref
toolinfo.name = toolinfo_obj.Name
toolinfo.type_ = [VocabString.from_obj(x) for x in toolinfo_obj.Type]
toolinfo.description = StructuredText.from_obj(
toolinfo_obj.Description)
toolinfo.vendor = toolinfo_obj.Vendor
toolinfo.version = toolinfo_obj.Version
toolinfo.service_pack = toolinfo_obj.Service_Pack
toolinfo.tool_hashes = HashList.from_obj(toolinfo_obj.Tool_Hashes)
return toolinfo
def from_obj(extracted_string_obj):
if not extracted_string_obj:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_obj(
extracted_string_obj.get_Encoding())
extracted_string_.string_value = String.from_obj(
extracted_string_obj.get_String_Value())
extracted_string_.byte_string_value = HexBinary.from_obj(
extracted_string_obj.get_Byte_String_Value())
extracted_string_.hashes = HashList.from_obj(
extracted_string_obj.get_Hashes())
extracted_string_.address = HexBinary.from_obj(
extracted_string_obj.get_Address())
extracted_string_.length = PositiveInteger.from_obj(
extracted_string_obj.get_Length())
extracted_string_.language = String.from_obj(
extracted_string_obj.get_Language())
extracted_string_.english_translation = String.from_obj(
extracted_string_obj.get_English_Translation())
return extracted_string_
def from_dict(extracted_string_dict):
if not extracted_string_dict:
return None
extracted_string_ = ExtractedString()
extracted_string_.encoding = VocabString.from_dict(
extracted_string_dict.get('encoding'))
extracted_string_.string_value = String.from_dict(
extracted_string_dict.get('string_value'))
extracted_string_.byte_string_value = HexBinary.from_dict(
extracted_string_dict.get('byte_string_value'))
extracted_string_.hashes = HashList.from_list(
extracted_string_dict.get('hashes'))
extracted_string_.address = HexBinary.from_dict(
extracted_string_dict.get('address'))
extracted_string_.length = PositiveInteger.from_dict(
extracted_string_dict.get('length'))
extracted_string_.language = String.from_dict(
extracted_string_dict.get('language'))
extracted_string_.english_translation = String.from_dict(
extracted_string_dict.get('english_translation'))
return extracted_string_
def from_dict(toolinfo_dict, toolinfo=None):
if not toolinfo_dict:
return None
if not toolinfo:
toolinfo = ToolInformation()
toolinfo.id_ = toolinfo_dict.get('id')
toolinfo.idref = toolinfo_dict.get('idref')
toolinfo.name = toolinfo_dict.get('name')
toolinfo.type_ = [
VocabString.from_dict(x) for x in toolinfo_dict.get('type', [])
]
toolinfo.description = StructuredText.from_dict(
toolinfo_dict.get('description'))
toolinfo.vendor = toolinfo_dict.get('vendor')
toolinfo.version = toolinfo_dict.get('version')
toolinfo.service_pack = toolinfo_dict.get('service_pack')
toolinfo.tool_hashes = HashList.from_list(
toolinfo_dict.get('tool_hashes'))
return toolinfo
class Hash(cybox.Entity):
_binding = common_binding
_binding_class = common_binding.HashType
_namespace = 'http://cybox.mitre.org/common-2'
def _auto_type(self):
"""Attempt to determine the hash type if `type_` is None"""
if self.simple_hash_value and not self.type_:
val = self.simple_hash_value.value
if not val:
# If not provided or an empty string, don't assign the type
self.type_ = None
elif len(val) == 32:
self.type_ = Hash.TYPE_MD5
elif len(val) == 40:
self.type_ = Hash.TYPE_SHA1
elif len(val) == 56:
self.type_ = Hash.TYPE_SHA224
elif len(val) == 64:
self.type_ = Hash.TYPE_SHA256
elif len(val) == 96:
self.type_ = Hash.TYPE_SHA384
elif len(val) == 128:
self.type_ = Hash.TYPE_SHA512
else:
self.type_ = Hash.TYPE_OTHER
type_ = vocabs.VocabField("Type", HashName)
simple_hash_value = cybox.TypedField("Simple_Hash_Value",
HexBinary,
callback_hook=_auto_type)
fuzzy_hash_value = cybox.TypedField("Fuzzy_Hash_Value", String)
TYPE_MD5 = u"MD5"
TYPE_MD6 = u"MD6"
TYPE_SHA1 = u"SHA1"
TYPE_SHA224 = u"SHA224"
TYPE_SHA256 = u"SHA256"
TYPE_SHA384 = u"SHA384"
TYPE_SHA512 = u"SHA512"
TYPE_SSDEEP = u"SSDEEP"
TYPE_OTHER = VocabString(u"Other")
def __init__(self, hash_value=None, type_=None, exact=False):
"""Create a new Hash Object
If exact=True, add 'condition="Equals"' to the hash value and type.
"""
super(Hash, self).__init__()
# Set type_ first so that auto-typing will work.
self.type_ = type_
self.simple_hash_value = hash_value
if exact:
if self.simple_hash_value:
self.simple_hash_value.condition = "Equals"
if self.type_:
self.type_.condition = "Equals"
def __str__(self):
return str(self.simple_hash_value)
def test_plain(self):
a = VocabString("test_value")
self.assertTrue(a.is_plain())
def test_multiple_mixed(self):
mh = MultipleHash()
mh.type_ = [HashNameVocab.TERM_MD5, VocabString("Foobar")]
self.assertEqual(len(mh.type_), 2)
def test_vocab_is_plain_true(self):
from cybox.common.vocabs import VocabString
vocab = VocabString(value="foo")
self.assertTrue(vocab.is_plain())
# Set the Malware_Instance_Object_Attributes on the third Malware Subject ms3.malware_instance_object_attributes = Object() ms3.malware_instance_object_attributes.properties = File() ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe" # Set the Malware_Instance_Object_Attributes on the fourth Malware Subject ms4.malware_instance_object_attributes = Object() ms4.malware_instance_object_attributes.properties = File() ms4.malware_instance_object_attributes.properties.file_name = "acvcwin32.exe" # Add the relationships between the Malware Subjects # Add the ms1 -> ms2 "drops" relationship ms1.relationships = MalwareSubjectRelationshipList() ms1_ms2_rel = MalwareSubjectRelationship() ms1_ms2_rel.type_ = VocabString() ms1_ms2_rel.type_.value = "drops" ms1_ms2_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0" ms1_ms2_rel.malware_subject_reference = [MalwareSubjectReference()] ms1_ms2_rel.malware_subject_reference[0].malware_subject_idref = ms2.id_ ms1.relationships.append(ms1_ms2_rel) # Add the ms2 -> ms1 "dropped by" relationship ms2.relationships = MalwareSubjectRelationshipList() ms2_ms1_rel = MalwareSubjectRelationship() ms2_ms1_rel.type_ = VocabString() ms2_ms1_rel.type_.value = "dropped by" ms2_ms1_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0" ms2_ms1_rel.malware_subject_reference = [MalwareSubjectReference()] ms2_ms1_rel.malware_subject_reference[0].malware_subject_idref = ms1.id_ ms2.relationships.append(ms2_ms1_rel) # Add the ms2 -> ms3 "downloads" relationship
a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex() o2.properties.name = "redem-Mutex" o2.association_type = VocabString() o2.association_type.value = "output" o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
action.name.value = 'create file'
action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
capability = Capability()
capability.name = 'persistence'
# Add the Capability to the Bundle
a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output" # Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString()
