def process_interactions(processes):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Create Mutex"
a.type_ = "Create"
ao.properties = WinProcess()
def dns_queries(dnsqueries):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Query DNS"
a.type_ = "Query"
# hostnameの解決
quri = URI()
quri.value = dnsqueries["hostname"]
dns_question = DNSQuestion()
dns_question.qname = quri
ao.properties = DNSQuery()
ao.properties.question = dns_question
# resultの解決
if dnsqueries.has_key("results"):
records = []
for result in dnsqueries["results"]:
dnsrecord = DNSRecord()
dnsrecord.domain_name = quri.value
address = Address()
address.CAT_IPV4
address.address_value = result
dnsrecord.ip_address = address
records.append(dnsrecord)
ao.properties.answer_resource_records = DNSResourceRecords(records)
#print ao.properties.path # print for debug
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
#print a.associated_objects.to # debug print
return a
def associated(name,path,byte,value="output"): associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = name associated_object.properties.file_path = path associated_object.properties.size_in_bytes = byte associated_object.association_type = VocabString() #これはなんだ? associated_object.association_type.value = value associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' return associated_object
def mutex_create(mutex):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Create Mutex"
a.type_ = "Create"
ao.properties = WinMutex()
ao.properties.name = mutex["mutex_name"]
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
def mutex_opens(mutex):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Open Mutex"
a.type_ = "Open"
ao.properties = WinMutex()
ao.properties.name = mutex["mutex_name"]
#print ao.properties.path # print for debug
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
#print a.associated_objects.to # debug print
return a
def modified_libraries(filenames):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Load Library"
a.type_ = "Modify"
path, ext = os.path.splitext( os.path.basename(filenames["filename"]) )
dic= {'name':filenames["filename"]}
lib = Library.from_dict(dic)
ao.properties = lib
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
def loaded_libraries(filenames):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Load Library"
a.type_ = "Load"
name, ext = os.path.splitext( os.path.basename(filenames["filename"]) )
dic = {}
dic['name'] = name
dic['path'] = filenames["filename"]
lib = Library.from_dict(dic)
ao.properties = lib
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
def registry_writes(registry):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Modify Registry Key Value"
a.type_= "Modify"
ao.properties = win_registry_key_object.WinRegistryKey()
ao.properties.key = registry["key"]
if registry.has_key("data"):
value = win_registry_key_object.RegistryValue()
value.name = registry["value"]
value.data = registry["data"]
values = win_registry_key_object.RegistryValues([value])
ao.properties.values = values
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
def registry_reads(registry):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Read Registry Key Value"
a.type_= "Read"
ao.properties = win_registry_key_object.WinRegistryKey()
ao.properties.key = registry["key"]
if registry.has_key("data"):
value = win_registry_key_object.RegistryValue()
if registry.has_key("value"):
value.name = registry["value"]
value.data = registry["data"]
values = win_registry_key_object.RegistryValues([value])
ao.properties.values = values
ao.association_type = VocabString()
ao.association_type.value = ""
ao.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
def file_delete(files):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Delete File"
a.type_ = "Remove/Delete"
ao.properties = WinFile()
ao.properties.file_name = files["filename"]
if files.has_key("ext_info"):
ao.properties.full_path = files["abs_path"]
ao.properties.size_in_bytes = UnsignedLong(files["ext_info"]["size"])
hashs = []
hashs.append(Hash(files["ext_info"]["sha1"]))
hashs.append(Hash(files["ext_info"]["md5"]))
ao.properties.hashes = HashList(hashs)
ao.properties.file_format = files["ext_info"]["file_info"]
elif files.has_key("abs_path"):
ao.properties.full_path = files["abs_path"]
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
action.name.value = 'create file'
action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_)
# Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output" # Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability()
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
action.name.value = 'create file'
action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = "foobar.exe"
subject_object.properties.size_in_bytes = "35532"
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = "abcd.dll"
associated_object.properties.size_in_bytes = "123456"
associated_object.association_type = AssociationType()
associated_object.association_type.value = "output"
associated_object.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
# Create the Action from another dictionary
action = MalwareAction()
action.name = "create file"
action.name.xsi_type = "maecVocabs:FileActionNameVocab-1.0"
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
def http_conversations(httpconv):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Connect to URL"
a.type_ = "Connect"
ao.properties = NetworkConnection()
ao.properties.layer4_protocol = httpconv["protocol"]
header = HTTPResponseHeader()
headerfiled = HTTPResponseHeaderFields()
response = HTTPServerResponse()
if httpconv["response_headers"].has_key("Transfer-Encoding"):
headerfiled.transfer_encoding = httpconv["response_headers"]["Transfer-Encoding"]
headerfiled.content_type = httpconv["response_headers"]["Content-Type"]
headerfiled.server = httpconv["response_headers"]["Server"]
headerfiled.connection = httpconv["response_headers"]["Connection"]
#headerfiled.date = DateTime(httpconv["response_headers"]["Date"])
t = datetime.strptime(httpconv["response_headers"]["Date"],'%a, %d %b %Y %H:%M:%S %Z').replace(tzinfo=pytz.utc)
#print t
headerfiled.date = DateTime(t)
headerfiled.content_type = httpconv["response_headers"]["type"]
header.parsed_header = headerfiled
if httpconv.has_key("download_content"):
body = HTTPMessage()
body.message_body = str(httpconv["download_content"]).encode('string-escape')
response.http_message_body = body
line = HTTPStatusLine()
tmp = httpconv["response_headers"]["Status-Line"].split()
line.version = tmp[0]
line.status_code = PositiveInteger(tmp[1])
line.reason_phrase = tmp[2]
response.http_status_line = line
response.http_response_header = header
client = HTTPClientRequest()
line = HTTPRequestLine()
tmp = httpconv["url"].split()
line.http_method = tmp[0]
line.value = tmp[1]
line.version = tmp[2]
client.http_request_line = line
cheader = HTTPRequestHeader()
cheaderfiled = HTTPRequestHeaderFields()
host = HostField()
host.domain_name = URI(httpconv["dst_host"])
val = Port()
val.port_value = PositiveInteger(httpconv["dst_port"])
host.port = val
cheaderfiled.host = host
cheader.parsed_header = cheaderfiled
client.http_request_header = cheader
httpsession = HTTPSession()
requestresponse = HTTPRequestResponse()
requestresponse.http_client_request = client
requestresponse.http_server_response = response
httpsession.http_request_response = [requestresponse]
layer7 = Layer7Connections()
layer7.http_session = httpsession
ao.properties.layer7_connections = layer7
#print ao.properties.to_dict()
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex()
# Import the required APIs from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.utils import IDGenerator, set_id_method from cybox.core import Object, AssociatedObjects, AssociatedObject, AssociationType from cybox.objects.file_object import File # Instantiate the MAEC/CybOX Entities set_id_method(IDGenerator.METHOD_INT) b = Bundle() a = MalwareAction() ao = AssociatedObject() # Build the Associated Object for use in the Action ao.properties = File() ao.properties.file_name = "badware.exe" ao.properties.size_in_bytes = "123456" ao.association_type = AssociationType() ao.association_type.value = 'output' ao.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Build the Action and add the Associated Object to it a.name = 'create file' a.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0' a.associated_objects = AssociatedObjects() a.associated_objects.append(ao) # Add the Action to the Bundle b.add_action(a) # Output the Bundle to stdout
# Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output" # Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability cap = Capability()
