def _create_observables(self, msg): o = Observables(self.__parse_email_message(msg)) t = ToolInformation() t.name = os.path.basename(__file__) t.description = StructuredText("Email to CybOX conversion script") t.vendor = "The MITRE Corporation" t.version = __version__ t_list = ToolInformationList() t_list.append(t) m = MeasureSource() m.tools = t_list o.observable_package_source = m return o
def wrap_maec(maec_package, file_name=None): """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package. Args: maec_package: the ``maec.package.package.Package`` instance to wrap in STIX. file_name: the name of the input file from which the MAEC Package originated, to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional. Returns: A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package. """ # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace( {"https://github.com/MAECProject/maec-to-stix": "MAECtoSTIX"}) # Create the STIX MAEC Instance maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) # Create the STIX Package and add the TTP to it stix_package = STIXPackage() stix_package.add_ttp(ttp) # Create the STIX Header and add it to the Package stix_header = STIXHeader() if file_name: stix_header.title = "STIX TTP wrapper around MAEC file: " + str( file_name) stix_header.add_package_intent("Malware Characterization") # Add the Information Source to the STIX Header tool_info = ToolInformation() stix_header.information_source = InformationSource() tool_info.name = "MAEC to STIX" tool_info.version = str(maec_to_stix.__version__) stix_header.information_source.tools = ToolInformationList(tool_info) stix_package.stix_header = stix_header return stix_package
def wrap_maec(maec_package, file_name=None): """Wrap a MAEC Package in a STIX TTP/Package. Return the newly created STIX Package. Args: maec_package: the ``maec.package.package.Package`` instance to wrap in STIX. file_name: the name of the input file from which the MAEC Package originated, to be used in the Title of the STIX TTP that wraps the MAEC Package. Optional. Returns: A ``stix.STIXPackage`` instance with a single TTP that wraps the input MAEC Package. """ # Set the namespace to be used in the STIX Package stix.utils.set_id_namespace({"https://github.com/MAECProject/maec-to-stix":"MAECtoSTIX"}) # Create the STIX MAEC Instance maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() ttp.behavior.add_malware_instance(maec_malware_instance) # Create the STIX Package and add the TTP to it stix_package = STIXPackage() stix_package.add_ttp(ttp) # Create the STIX Header and add it to the Package stix_header = STIXHeader() if file_name: stix_header.title = "STIX TTP wrapper around MAEC file: " + str(file_name) stix_header.add_package_intent("Malware Characterization") # Add the Information Source to the STIX Header tool_info = ToolInformation() stix_header.information_source = InformationSource() tool_info.name = "MAEC to STIX" tool_info.version = str(maec_to_stix.__version__) stix_header.information_source.tools = ToolInformationList(tool_info) stix_package.stix_header = stix_header return stix_package
def execute(self, device_info, data_dir_path, simple_output=False, html_output=False): """ :param device_info: DeviceInfo :param data_dir_path: string """ extracted_data_dir_path = os.path.join(data_dir_path, EXTRACTED_DATA_DIR_NAME) try: os.makedirs(extracted_data_dir_path) except OSError as exception: if exception.errno != errno.EEXIST: raise self.extractor.execute(extracted_data_dir_path, self.param_values) set_id_method(IDGenerator.METHOD_INT if simple_output else IDGenerator.METHOD_UUID) inspected_objects, source_objects = self.inspector.execute(device_info, extracted_data_dir_path) inspected_observables = Observables(inspected_objects) source_observables = Observables(source_objects) tool_info = ToolInformation() tool_info.name = 'Android Inspector' tool_info.version = '1.0' measure_source = MeasureSource() measure_source.tool_type = ToolType.TERM_DIGITAL_FORENSICS measure_source.tools = ToolInformationList([tool_info]) measure_source.time = Time(produced_time=datetime.now().isoformat()) inspected_observables.observable_package_source = measure_source source_observables.observable_package_source = measure_source write_observables_xml_file(inspected_observables, os.path.join(data_dir_path, INSPECTED_DATA_FILE_NAME), simple_output) write_observables_xml_file(source_observables, os.path.join(data_dir_path, SOURCE_DATA_FILE_NAME), simple_output) if html_output: generate_html_files(data_dir_path)
def _create_stix_package(self): """Create and return a STIX Package with the basic information populated. Returns: A ``stix.STIXPackage`` object with a STIX Header that describes the intent of the package in terms of capturing malware artifacts, along with some associated metadata. """ stix_package = STIXPackage() stix_header = STIXHeader() stix_header.add_package_intent("Indicators - Malware Artifacts") if self.file_name: stix_header.title = "STIX Indicators extracted from MAEC file: " + str(self.file_name) # Add the Information Source to the STIX Header tool_info = ToolInformation() stix_header.information_source = InformationSource() tool_info.name = "MAEC to STIX" tool_info.version = str(__version__) stix_header.information_source.tools = ToolInformationList(tool_info) stix_package.stix_header = stix_header return stix_package
def _create_stix_package(self): """Create and return a STIX Package with the basic information populated. Returns: A ``stix.STIXPackage`` object with a STIX Header that describes the intent of the package in terms of capturing malware artifacts, along with some associated metadata. """ stix_package = STIXPackage() stix_header = STIXHeader() stix_header.add_package_intent("Indicators - Malware Artifacts") if self.file_name: stix_header.title = "STIX Indicators extracted from MAEC file: " + str( self.file_name) # Add the Information Source to the STIX Header tool_info = ToolInformation() stix_header.information_source = InformationSource() tool_info.name = "MAEC to STIX" tool_info.version = str(__version__) stix_header.information_source.tools = ToolInformationList(tool_info) stix_package.stix_header = stix_header return stix_package
# Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash( "B6C39FF68346DCC8B67AA060DEFE40C2") ms.malware_instance_object_attributes.properties.add_hash( "D55B0FB96FAD96D203D10850469489FC03E6F2F7") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe"
# Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "251904" ms.malware_instance_object_attributes.properties.add_hash( "5247001dafe411802b1a40e763d9a221") ms.malware_instance_object_attributes.properties.add_hash( "7ff89166e226845e9fc52cb711eb5b37d004a0e5") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe"
b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "251904" ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221") ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe"
NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # インスタンス化:Bundle, Package, MalwareSubject, Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "APIMonitor" t.vendor = "APIMonitor" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト subject_object.properties = File() #ファイルオブジェクト subject_object.properties.file_name = 'seminor.doc' # ファイル名(マルウェアを含んだファイル) subject_object.properties.size_in_bytes = '154173' #ファイルサイズ subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964") # 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定 subject.set_malware_instance_object_attributes(subject_object) # Actionで使うための関連オブジェクトのディクショナリーを作成 def associated(name,path,byte,value="output"):
ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe" ms.malware_instance_object_attributes.properties.size_in_bytes = "196608" ms.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "triage" a.summary = "A basic static triage of the subject binary using PEiD." a.set_findings_bundle(b.id_) a.source = Source() a.source.name = "Frankie Li" a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814" t = ToolInformation() t.name = "PEiD" t.version = "0.94" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Static Analysis findings b.defined_subject = False b.content_type = "static analysis tool output" o = Object() o.properties = WinExecutableFile() o.properties.headers = PEHeaders() o.properties.headers.optional_header = PEOptionalHeader() o.properties.headers.optional_header.major_linker_version = "06" o.properties.headers.optional_header.minor_linker_version = "00" o.properties.headers.optional_header.address_of_entry_point = "036418" o.properties.headers.optional_header.subsystem = "Windows_GUI"
NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # インスタンス化:Bundle, Package, MalwareSubject, Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "CapLogger" t.vendor = "CapLogger" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト subject_object.properties = File() #ファイルオブジェクト subject_object.properties.file_name = 'ShinoBOT.exe' # ファイル名(マルウェアを含んだファイル) subject_object.properties.file_extension = "exe" subject_object.properties.size_in_bytes = '154173' #ファイルサイズ subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964") # 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定 subject.set_malware_instance_object_attributes(subject_object) # Actionで使うための関連オブジェクトのディクショナリーを作成
ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe" ms.malware_instance_object_attributes.properties.size_in_bytes = "196608" ms.malware_instance_object_attributes.properties.add_hash( "4EC0027BEF4D7E1786A04D021FA8A67F") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "triage" a.summary = "A basic static triage of the subject binary using PEiD." a.set_findings_bundle(b.id_) a.source = Source() a.source.name = "Frankie Li" a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814" t = ToolInformation() t.name = "PEiD" t.version = "0.94" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Static Analysis findings b.defined_subject = False b.content_type = "static analysis tool output" o = Object() o.properties = WinExecutableFile() o.properties.headers = PEHeaders() o.properties.headers.optional_header = PEOptionalHeader() o.properties.headers.optional_header.major_linker_version = "06" o.properties.headers.optional_header.minor_linker_version = "00" o.properties.headers.optional_header.address_of_entry_point = "036418" o.properties.headers.optional_header.subsystem = "Windows_GUI"
p = Package() ms = MalwareSubject() a1 = Analysis() a2 = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the PeID Analysis with its corresponding metadata a1.method = "static" a1.type_ = "triage" t1 = ToolInformation() t1.name = "PEiD" t1.version = "0.94" a1.add_tool(t1) # Populate the Anubis Analysis with its corresponding metadata a2.method = "dynamic" a2.type_ = "triage" t2 = ToolInformation() t2.name = "Anubis" t2.version = "1.68.0" a2.add_tool(t2) # Build up the full Package/Malware Subject/Analysis hierarchy p.add_malware_subject(ms) ms.add_analysis(a1) ms.add_analysis(a2)