a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject()
"B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output" # Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability
def add_associated_objects(self,associated_object): if not isinstance(self.associated_objects,AssociatedObjects): self.associated_objects = AssociatedObjects() self.associated_objects.append(associated_object)
class CyboxAction(Action): def __init__(self, id=None, idref=None, namespace=None,name=None,action_status=None,context=None,description=None,discovery_method=None,frequency=None,action_aliases=None, action_arguments=None,ordinal_position=None,timestamp=None,type=None,associated_objects=None,relationships=None ): super(CyboxAction, self).__init__() set_id_method(IDGenerator.METHOD_UUID) if id is None and idref is None: if namespace is not None: set_id_namespace(namespace) self.id_ = create_id(prefix='action') self.action_arguments = action_arguments self.action_aliases = action_aliases self.discovery_method = discovery_method self.name = name self.action_status = action_status self.associated_objects = associated_objects self.type_ = type self.timestamp = timestamp self.relationships =relationships self.ordinal_position = ordinal_position self.frequency= frequency self.description = description self.context = context def add_relationships(self,action_relationship): if not isinstance(self.relationships,ActionRelationships): self.relationships = ActionRelationships() self.relationships.append(action_relationship) def create_action_relationship(self,type=None,action_references=None): actionrelationship = ActionRelationship() actionrelationship.type =type if action_references is not None: for actionref in action_references: actionrelationship.action_references.append(actionref) return actionrelationship def create_action_reference(self,action_id=None): return ActionReference(action_id=action_id) def add_associated_objects(self,associated_object): if not isinstance(self.associated_objects,AssociatedObjects): self.associated_objects = AssociatedObjects() self.associated_objects.append(associated_object) def create_associated_object(self,defined_object=None,association_type=None,type=None): return AssociatedObject(defined_object=defined_object,association_type=association_type) def add_type(self,type): self.type_ = type def add_timestamp(self,timestamp): self.timestamp=timestamp def add_ordinal_position(self,ordinal_position): self.ordinal_position=ordinal_position def add_frequnecy(self,rate=None,scale=None,trend=None,units=None): self.frequency= Frequency() self.frequency.rate =rate self.frequency.scale=scale self.frequency.trend=trend self.frequency.units=units def add_description(self,description): self.description =description def add_context(self,context): self.context =context def add_action_status(self,action_status): self.action_status =action_status def add_action_name(self,name): self.name=name def add_action_argument(self, action_argument): if not isinstance(self.action_arguments,ActionArguments): self.action_arguments = ActionArguments() self.action_arguments.append(action_argument) def create_action_argument(self, name, value): ''' Is optional and enables the specification of a single relevant argument/parameter for this Action. Name must be taken from cybox.vocabs.ActionArgumentNameEnum ''' action_argument = ActionArgument() action_argument.argument_name = name action_argument.argument_value = value return action_argument def add_action_alias(self,action_alias): ''' Adds action_alias names, enabling identification of other potentially used names for this Action. ''' if not isinstance(self.action_aliases,ActionAliases): self.action_aliases = ActionAliases() self.action_aliases.append(action_alias) def add_location(self): ''' future implementation :return: ''' pass def add_discovery_method(self,discovery_method): self.discovery_method = discovery_method
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll' associated_object.properties.size_in_bytes = '123456' associated_object.association_type = VocabString() associated_object.association_type.value = 'output' associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Create the Action from another dictionary action = MalwareAction() action.name = VocabString() action.name.value = 'create file' action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0' action.associated_objects = AssociatedObjects() action.associated_objects.append(associated_object) # Add the Action to the Bundle bundle.add_action(action) # Create the Capability from another dictionary capability = Capability() capability.name = 'persistence' # Add the Capability to the Bundle bundle.add_capability(capability) # Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) subject.findings_bundles.bundle = [bundle] # Add the Malware Subject to the Package package.add_malware_subject(subject) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('sample_maec_package.xml')