def from_dict(malware_subject_dict):
if not malware_subject_dict:
return None
malware_subject_ = MalwareSubject(None)
malware_subject_.id = malware_subject_dict.get('id')
malware_subject_.malware_instance_object_attributes = Object.from_dict(malware_subject_dict.get('malware_instance_object_attributes'))
malware_subject_.minor_variants = MinorVariants.from_list(malware_subject_dict.get('minor_variants'))
malware_subject_.field_data = None #TODO: add support
malware_subject_.analyses = Analyses.from_list(malware_subject_dict.get('analyses'))
malware_subject_.findings_bundles = FindingsBundleList.from_dict(malware_subject_dict.get('findings_bundles'))
malware_subject_.relationships = MalwareSubjectRelationshipList.from_list(malware_subject_dict.get('id'))
return malware_subject_
def from_obj(malware_subject_obj):
if not malware_subject_obj:
return None
malware_subject_ = MalwareSubject(None)
malware_subject_.id = malware_subject_obj.get_id()
malware_subject_.malware_instance_object_attributes = Object.from_obj(malware_subject_obj.get_Malware_Instance_Object_Attributes())
malware_subject_.minor_variants = MinorVariants.from_obj(malware_subject_obj.get_Minor_Variants())
malware_subject_.field_data = None #TODO: add support
malware_subject_.analyses = Analyses.from_obj(malware_subject_obj.get_Analyses())
malware_subject_.findings_bundles = FindingsBundleList.from_obj(malware_subject_obj.get_Findings_Bundles())
malware_subject_.relationships = MalwareSubjectRelationshipList.from_obj(malware_subject_obj.get_Relationships())
return malware_subject_
def from_dict(bundle_dict):
if not bundle_dict:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_dict.get('id')
bundle_.schema_version = bundle_dict.get('schema_version')
bundle_.defined_subject = bundle_dict.get('defined_subject')
bundle_.content_type = bundle_dict.get('content_type')
bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get('timestamp'), "%Y-%m-%dT%H:%M:%S.%f")
bundle_.malware_instance_object_attributes = Object.from_dict(bundle_dict.get('malware_instance_object_attributes'))
bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get('av_classifications'))
bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get('process_tree'))
bundle_.behaviors = BehaviorList.from_list(bundle_dict.get('behaviors'))
bundle_.actions = ActionList.from_list(bundle_dict.get('actions'))
bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get('candidate_indicators'))
bundle_.collections = Collections.from_dict(bundle_dict.get('collections'))
return bundle_
def from_obj(bundle_obj):
if not bundle_obj:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_obj.get_id()
bundle_.schema_version = bundle_obj.get_schema_version()
bundle_.defined_subject = bundle_obj.get_defined_subject()
bundle_.content_type = bundle_obj.get_content_type()
bundle_.timestamp = bundle_obj.get_timestamp()
bundle_.malware_instance_object_attributes = Object.from_obj(bundle_obj.get_Malware_Instance_Object_Attributes())
if bundle_obj.get_AV_Classifications() is not None: bundle_.av_classifications = AVClassifications.from_obj(bundle_obj.get_AV_Classifications())
bundle_.process_tree = ProcessTree.from_obj(bundle_obj.get_Process_Tree())
if bundle_obj.get_Behaviors() is not None : bundle_.behaviors = BehaviorList.from_obj(bundle_obj.get_Behaviors())
if bundle_obj.get_Actions() is not None : bundle_.actions = ActionList.from_obj(bundle_obj.get_Actions())
if bundle_obj.get_Candidate_Indicators() is not None : bundle_.candidate_indicators = CandidateIndicatorList.from_obj(bundle_obj.get_Candidate_Indicators())
bundle_.collections = Collections.from_obj(bundle_obj.get_Collections())
return bundle_
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object
from cybox.core.associated_object import AssociatedObject
#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
#Add the Malware Subject to the Package
package.add_malware_subject(subject)
#Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('example1.xml')
def create_object(self, ce1sus_object, event_permissions, user):
definition_name = ce1sus_object.definition.name
obj = Object()
identifier = 'ce1sus:Object-{0}'.format(ce1sus_object.uuid)
obj.id_ = identifier
# try to find automatic the object container
try:
clazz = get_class(
'cybox.objects.{0}_object'.format(definition_name.lower()),
definition_name)
instance = clazz()
if definition_name == 'Disk':
# TODO: check why this must be set stix bug?
setattr(instance, 'type_', None)
except ImportError:
if definition_name == 'WinEventLog':
instance = WinEventLog()
# TODO: check why this must be set stix bug?
setattr(instance, 'type_', None)
elif definition_name == 'UserAccount':
instance = UserAccount()
elif definition_name == 'WinService':
instance = WinService()
elif definition_name == 'WindowsRegistryKey':
instance = WinRegistryKey()
elif definition_name == 'NetworkConnection':
instance = NetworkConnection()
elif definition_name == 'WinVolume':
instance = WinVolume()
# TODO: check why this must be set stix bug?
setattr(instance, 'drive_type', None)
elif definition_name == 'WinKernelHook':
instance = WinKernelHook()
elif definition_name == 'WinDriver':
instance = WinDriver()
elif definition_name == 'DomainName':
instance = DomainName()
# TODO: try to map it manually
elif definition_name == 'email':
instance = EmailMessage()
else:
raise Ce1susStixMapperException(
'Required to map manually {0}'.format(definition_name))
obj.properties = instance
attributes = ce1sus_object.get_attributes_for_permissions(
event_permissions, user)
for attribute in attributes:
self.map_attribtue(instance, attribute)
rel_objects = ce1sus_object.get_related_objects_for_permissions(
event_permissions, user)
for rel_object in rel_objects:
ob = self.create_object(rel_object.object, event_permissions, user)
if ob:
rel_obj = self.create_related_object(rel_object,
event_permissions, user)
# cybox_rel_object = RelatedObject(properties=ob.properties, relationship=rel_object.relation)
obj.related_objects.append(rel_obj)
return obj
def from_dict(statefulmeasure_dict):
sm = StatefulMeasure()
sm.object_ = Object.from_dict(statefulmeasure_dict.get('object'))
return sm
def from_obj(statefulmeasure_obj):
sm = StatefulMeasure()
sm.object_ = Object.from_obj(statefulmeasure_obj.get_Object())
return sm
def from_dict(object_dict):
if not object_dict:
return None
obj = Object.from_dict(object_dict, AssociatedObject())
obj.association_type_ = VocabString.from_dict(object_dict.get('association_type', None))
return obj
def from_obj(object_obj):
if not object_obj:
return None
obj = Object.from_obj(object_obj, AssociatedObject())
obj.association_type_ = VocabString.from_obj(object_obj.get_Association_Type())
return obj
def vt_report_to_maec_package(vt_report_input, options = None):
"""Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
maec.utils.set_id_namespace(NS)
package = Package()
# if only one result, make it a list of one result
if type(vt_report_input) != list:
vt_report_list = [vt_report_input]
else:
vt_report_list = vt_report_input
for idx, vt_report in enumerate(vt_report_list):
# if VirusTotal has never seen this MD5
if vt_report["response_code"] == 0:
sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
sys.stderr.flush();
continue
if vt_report["response_code"] == -1:
sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
vt_report.get("verbose_message", "no message provided") + "\n")
sys.stderr.flush();
continue
malware_subject = MalwareSubject()
# create the file object and add hashes
file_dict = {}
file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
file_dict['hashes'] = [
{'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
{'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
{'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
]
# set the object as the defined object
object_dict = {}
object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
object_dict['properties'] = file_dict
# bind the object to the malware subject object
malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
# create the analysis and add it to the subject
analysis = Analysis()
analysis.type_ = 'triage'
analysis.method = 'static'
analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
'vendor' : 'VirusTotal',
'name' : 'VirusTotal' }))
malware_subject.add_analysis(analysis)
bundle_obj = Bundle()
for vendor, scan in vt_report["scans"].items():
if scan["result"] is not None:
bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
# add bundle to subject, bundle to analysis, and subject to package
malware_subject.add_findings_bundle(bundle_obj)
analysis.set_findings_bundle(bundle_obj.id_)
package.add_malware_subject(malware_subject)
package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
return package
def object_from_dict(cls, associated_object_dict):
"""Create the Associated Object Python object representation from an input dictionary"""
associated_obj = Object.object_from_dict(associated_object_dict,core_binding.AssociatedObjectType())
for key, value in associated_object_dict.items():
if key == 'association_type' and utils.test_value(value): associated_obj.set_association_type(value)
return associated_obj
def dict_from_object(cls, associated_obj):
"""Parse and return a dictionary for an Associated Object"""
associated_object_dict = Object.dict_from_object(associated_obj)
if associated_obj.get_association_type() is not None: associated_object_dict['association_type'] = associated_obj.get_association_type()
return associated_object_dict
