a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject()
"B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output" # Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability
def add_associated_objects(self,associated_object):
if not isinstance(self.associated_objects,AssociatedObjects):
self.associated_objects = AssociatedObjects()
self.associated_objects.append(associated_object)
class CyboxAction(Action):
def __init__(self, id=None, idref=None, namespace=None,name=None,action_status=None,context=None,description=None,discovery_method=None,frequency=None,action_aliases=None,
action_arguments=None,ordinal_position=None,timestamp=None,type=None,associated_objects=None,relationships=None
):
super(CyboxAction, self).__init__()
set_id_method(IDGenerator.METHOD_UUID)
if id is None and idref is None:
if namespace is not None:
set_id_namespace(namespace)
self.id_ = create_id(prefix='action')
self.action_arguments = action_arguments
self.action_aliases = action_aliases
self.discovery_method = discovery_method
self.name = name
self.action_status = action_status
self.associated_objects = associated_objects
self.type_ = type
self.timestamp = timestamp
self.relationships =relationships
self.ordinal_position = ordinal_position
self.frequency= frequency
self.description = description
self.context = context
def add_relationships(self,action_relationship):
if not isinstance(self.relationships,ActionRelationships):
self.relationships = ActionRelationships()
self.relationships.append(action_relationship)
def create_action_relationship(self,type=None,action_references=None):
actionrelationship = ActionRelationship()
actionrelationship.type =type
if action_references is not None:
for actionref in action_references:
actionrelationship.action_references.append(actionref)
return actionrelationship
def create_action_reference(self,action_id=None):
return ActionReference(action_id=action_id)
def add_associated_objects(self,associated_object):
if not isinstance(self.associated_objects,AssociatedObjects):
self.associated_objects = AssociatedObjects()
self.associated_objects.append(associated_object)
def create_associated_object(self,defined_object=None,association_type=None,type=None):
return AssociatedObject(defined_object=defined_object,association_type=association_type)
def add_type(self,type):
self.type_ = type
def add_timestamp(self,timestamp):
self.timestamp=timestamp
def add_ordinal_position(self,ordinal_position):
self.ordinal_position=ordinal_position
def add_frequnecy(self,rate=None,scale=None,trend=None,units=None):
self.frequency= Frequency()
self.frequency.rate =rate
self.frequency.scale=scale
self.frequency.trend=trend
self.frequency.units=units
def add_description(self,description):
self.description =description
def add_context(self,context):
self.context =context
def add_action_status(self,action_status):
self.action_status =action_status
def add_action_name(self,name):
self.name=name
def add_action_argument(self, action_argument):
if not isinstance(self.action_arguments,ActionArguments):
self.action_arguments = ActionArguments()
self.action_arguments.append(action_argument)
def create_action_argument(self, name, value):
'''
Is optional and enables the specification of a single relevant argument/parameter for this Action.
Name must be taken from cybox.vocabs.ActionArgumentNameEnum
'''
action_argument = ActionArgument()
action_argument.argument_name = name
action_argument.argument_value = value
return action_argument
def add_action_alias(self,action_alias):
'''
Adds action_alias names, enabling identification of other potentially used names for this Action.
'''
if not isinstance(self.action_aliases,ActionAliases):
self.action_aliases = ActionAliases()
self.action_aliases.append(action_alias)
def add_location(self):
'''
future implementation
:return:
'''
pass
def add_discovery_method(self,discovery_method):
self.discovery_method = discovery_method
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
action.name.value = 'create file'
action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
capability = Capability()
capability.name = 'persistence'
# Add the Capability to the Bundle
bundle.add_capability(capability)
# Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
subject.findings_bundles.bundle = [bundle]
# Add the Malware Subject to the Package
package.add_malware_subject(subject)
# Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('sample_maec_package.xml')
