def _create_observables(self, msg): o = Observables(self.__parse_email_message(msg)) t = ToolInformation() t.name = os.path.basename(__file__) t.description = StructuredText("Email to CybOX conversion script") t.vendor = "The MITRE Corporation" t.version = __version__ t_list = ToolInformationList() t_list.append(t) m = MeasureSource() m.tools = t_list o.observable_package_source = m return o
# Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash( "B6C39FF68346DCC8B67AA060DEFE40C2") ms.malware_instance_object_attributes.properties.add_hash( "D55B0FB96FAD96D203D10850469489FC03E6F2F7") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288"
# Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "251904" ms.malware_instance_object_attributes.properties.add_hash( "5247001dafe411802b1a40e763d9a221") ms.malware_instance_object_attributes.properties.add_hash( "7ff89166e226845e9fc52cb711eb5b37d004a0e5") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288"
a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "251904" ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221") ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288"
maec.utils.set_id_namespace(NS) # インスタンス化:Bundle, Package, MalwareSubject, Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "APIMonitor" t.vendor = "APIMonitor" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト subject_object.properties = File() #ファイルオブジェクト subject_object.properties.file_name = 'seminor.doc' # ファイル名(マルウェアを含んだファイル) subject_object.properties.size_in_bytes = '154173' #ファイルサイズ subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964") # 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定 subject.set_malware_instance_object_attributes(subject_object) # Actionで使うための関連オブジェクトのディクショナリーを作成 def associated(name,path,byte,value="output"): associated_object = AssociatedObject()
maec.utils.set_id_namespace(NS) # インスタンス化:Bundle, Package, MalwareSubject, Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "CapLogger" t.vendor = "CapLogger" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト subject_object.properties = File() #ファイルオブジェクト subject_object.properties.file_name = 'ShinoBOT.exe' # ファイル名(マルウェアを含んだファイル) subject_object.properties.file_extension = "exe" subject_object.properties.size_in_bytes = '154173' #ファイルサイズ subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964") # 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定 subject.set_malware_instance_object_attributes(subject_object) # Actionで使うための関連オブジェクトのディクショナリーを作成 def associated(name,path,byte,value="output"):