def create_maec(self, url_indicator):
package = Package()
ms = MalwareSubject()
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = URI(type_=URI.TYPE_URL)
ms.malware_instance_object_attributes.properties.value = url_indicator
package.add_malware_subject(ms)
return package
def create_maec(self, url_indicator):
package = Package()
ms = MalwareSubject()
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = URI(
type_=URI.TYPE_URL)
ms.malware_instance_object_attributes.properties.value = url_indicator
package.add_malware_subject(ms)
return package
def merge_malware_subjects(malware_subject_list):
'''Merge a list of input Malware Subjects'''
id_mappings = {}
output_subjects = []
# Bin the Malware Subjects by hash
binned_subjects = bin_malware_subjects(malware_subject_list)
# Merge the Malware Subjects that were binned
for binned_list in binned_subjects.values():
# Make sure we're dealing with at least two subjects
if len(binned_list) > 1:
# Instantiate the merged Malware Subject
merged_malware_subject = MalwareSubject()
# Add the ID mappings from the old (merged) subject to the new one
create_mappings(id_mappings, binned_list, merged_malware_subject)
# Perform the merging
merge_binned_malware_subjects(merged_malware_subject, binned_list,
id_mappings)
# Add the merged Malware Subject to the output list
output_subjects.append(merged_malware_subject)
# Add the Malware Subjects that weren't merged
for malware_subject in malware_subject_list:
if malware_subject.id_ not in id_mappings.keys():
output_subjects.append(malware_subject)
# Update the relationships for the Malware Subjects to account for the merges
update_relationships(output_subjects, id_mappings)
# Return the list of original and merged Malware Subjects
return output_subjects
from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, Collections, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
from cybox.utils import Namespace
import maec.utils
# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
# Generates and exports MAEC Package with:
# - A single Malware Subject
# - A single Bundle embedded in the Malware Subject
# - A single Action embedded in the Bundle
# - A single Capability embedded in the Bundle
from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType
from cybox.common import Hash, HashList, VocabString
from cybox.objects.file_object import File
from maec.bundle import Bundle, MalwareAction, Capability
from maec.package import Analysis, MalwareSubject, Package
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
