def __init__(self,id=None,namespace=None,malware_instance_object_attributes=None,relationships=None,minor_variants=None,labels=None,findings_bundles=None, development_environment=None,configuration_details=None,compatible_platform=None,analyses=None): super(MaecMalwareSubject, self).__init__(id=id,malware_instance_object_attributes=malware_instance_object_attributes) if id is None and namespace is not None: set_id_method(IDGenerator.METHOD_UUID) set_id_namespace(namespace) self.id_ = create_id(prefix="malware_subject") self.relationships =MalwareSubjectRelationshipList() if relationships is not None: for relationship in relationships: if isinstance(relationship,MalwareSubjectRelationship): self.relationships.append(relationship) self.minor_variants = MinorVariants() if minor_variants is not None: for minor_variant in minor_variants: self.minor_variants.append(minor_variant) self.label=[] if labels is not None: for label in labels: self.label.append(VocabString(label)) self.findings_bundles = FindingsBundleList() if findings_bundles is not None and isinstance(findings_bundles,FindingsBundleList): self.findings_bundles = findings_bundles self.development_environment = development_environment self.configuration_details =configuration_details self.compatible_platform =compatible_platform self.analyses = analyses
class MaecMalwareSubject(MalwareSubject): def __init__(self,id=None,namespace=None,malware_instance_object_attributes=None,relationships=None,minor_variants=None,labels=None,findings_bundles=None, development_environment=None,configuration_details=None,compatible_platform=None,analyses=None): super(MaecMalwareSubject, self).__init__(id=id,malware_instance_object_attributes=malware_instance_object_attributes) if id is None and namespace is not None: set_id_method(IDGenerator.METHOD_UUID) set_id_namespace(namespace) self.id_ = create_id(prefix="malware_subject") self.relationships =MalwareSubjectRelationshipList() if relationships is not None: for relationship in relationships: if isinstance(relationship,MalwareSubjectRelationship): self.relationships.append(relationship) self.minor_variants = MinorVariants() if minor_variants is not None: for minor_variant in minor_variants: self.minor_variants.append(minor_variant) self.label=[] if labels is not None: for label in labels: self.label.append(VocabString(label)) self.findings_bundles = FindingsBundleList() if findings_bundles is not None and isinstance(findings_bundles,FindingsBundleList): self.findings_bundles = findings_bundles self.development_environment = development_environment self.configuration_details =configuration_details self.compatible_platform =compatible_platform self.analyses = analyses def addlabel(self,label=None): self.label.append(VocabString(label)) def addmalwareinstanceobjectattributes(self,malware_instance_object_attributes=None): self.set_malware_instance_object_attributes(malware_instance_object_attributes=malware_instance_object_attributes) def addconfigurationdeatails(self,configuration_details): if isinstance(configuration_details,MalwareConfigurationDetails): self.configuration_details =configuration_details def addminorvariant(self,minor_variant=None): self.minor_variants.append(minor_variant) def addcompatibleplatform(self,compatible_platform=None): self.compatible_platform = compatible_platform def addrelationship(self,relationship=None): self.relationships.append(relationship) def addbundleinfindingbundles(self,bundle=None): self.add_findings_bundle(bundle) def addmetaanalysisinfindingbundles(self,meta_analysis): self.findings_bundles.meta_analysis=meta_analysis def addexternalreferenceinfindingbundles(self,external_reference): self.findings_bundles.add_bundle_external_reference(external_reference) def createfindingbundlesmetaanalysis(self,object_equivalences=None,action_equivalences=None): meta_analysis = MetaAnalysis() meta_analysis.object_equivalences =ObjectEquivalenceList() if object_equivalences is not None: for object_equivalence in object_equivalences : meta_analysis.object_equivalences.append(object_equivalence) meta_analysis.action_equivalences = ActionEquivalenceList() if action_equivalences is not None: for action_equivalence in action_equivalences: meta_analysis.action_equivalences.append(action_equivalence) return meta_analysis def createfindingbundlesmetaanalysisobjectequivalence(self,id=None,object_references=None): object_equivalence = ObjectEquivalence() object_equivalence.id_ =id object_equivalence.object_reference=object_references return object_equivalence def createfindingbundlesmetaanalysisobjectequivalencereference(self,object_idref=None): #unresolved library bug reference = ObjectReference() reference.object_idref =object_idref return reference def createfindingbundlesmetaanalysisactionequivalence(self,action_references=None): action_equivalence = ActionEquivalence() action_equivalence.action_reference=action_references return action_equivalence def createfindingbundlesmetaanalysisactionequivalencereference(self,action_id=None): return ActionReference(action_id=action_id) def createrelationship(self,type=None,malware_subject_reference=None): relationship= MalwareSubjectRelationship() relationship.type_ = VocabString(value=type) relationship.malware_subject_reference=malware_subject_reference return relationship def createrelationshipreference(self,malware_subject_idref=None): reference = MalwareSubjectReference() reference.malware_subject_idref = malware_subject_idref return reference def createcompatibleplatform(self,description=None,identifiers=None): platform = PlatformSpecification() if description is not None: platform.description= StructuredText(value=description) if not identifiers is None: for identifier in identifiers: platform.identifiers.append(identifier) return platform def createcompatibleplatformidentifier(self,system=None,system_ref =None): identifier = PlatformIdentifier() identifier.system =system identifier.system_ref =system_ref return identifier def createconfigurationdetails(self,storage=None,obfuscation=None,configuration_parameter=None): configuration_details = MalwareConfigurationDetails() configuration_details.storage =storage configuration_details.obfuscation = obfuscation configuration_details.configuration_parameter = configuration_parameter return configuration_details def createconfigurationdetailsstorage(self,malware_binary=None,url=None,file=None): storage = MalwareConfigurationStorageDetails() storage.url =url storage.malware_binary = malware_binary storage.file =file return storage def createconfigurationdetailsstoragemalwarebinary(self,section_offset=None,section_name=None,file_offset=None): malware_binary = MalwareBinaryConfigurationStorageDetails() malware_binary.section_offset = section_offset malware_binary.section_name = section_name malware_binary.file_offset = file_offset return malware_binary def createconfigurationdetailsobfuscation(self,is_encrypted=None,is_encoded=None,algorithm_details=None): obfuscation = MalwareConfigurationObfuscationDetails() obfuscation.is_encrypted=is_encrypted obfuscation.is_encoded = is_encoded if algorithm_details is not None: for algorithm in algorithm_details: if isinstance(algorithm,MalwareConfigurationObfuscationAlgorithm): obfuscation.algorithm_details.append(algorithm) return obfuscation def createconfigurationdetailsobfuscationalgorithm(self,ordinal_position=None,key=None,algorithm_name=None): algorithm = MalwareConfigurationObfuscationAlgorithm() algorithm.ordinal_position = ordinal_position algorithm.key = key algorithm.algorithm_name = algorithm_name return algorithm def createconfigurationdetailsconfparameter(self,value=None,name=None): configuration_parameter = MalwareConfigurationParameter() configuration_parameter.name=VocabString(name) configuration_parameter.value =value return configuration_parameter def adddevelopmentenvironment(self,development_environment=None): self.development_environment=development_environment def createdevelopmentenvironment(self,debugging_file=None,tools=None): development_environment = MalwareDevelopmentEnvironment() development_environment.tools = tools development_environment.debugging_file=debugging_file return development_environment
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [ x.malware_instance_object_attributes for x in binned_list ] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='simple_hash_value')) hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list( itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [ x.configuration_details for x in binned_list if x.configuration_details ] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict( merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list( itertools.chain( *[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list( itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles( [x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list( itertools.chain( *[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list( itertools.chain(*[ x.compatible_platform for x in binned_list if x.compatible_platform ])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants( merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList( merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms