def __init__(self,id=None,namespace=None,malware_instance_object_attributes=None,relationships=None,minor_variants=None,labels=None,findings_bundles=None,
development_environment=None,configuration_details=None,compatible_platform=None,analyses=None):
super(MaecMalwareSubject, self).__init__(id=id,malware_instance_object_attributes=malware_instance_object_attributes)
if id is None and namespace is not None:
set_id_method(IDGenerator.METHOD_UUID)
set_id_namespace(namespace)
self.id_ = create_id(prefix="malware_subject")
self.relationships =MalwareSubjectRelationshipList()
if relationships is not None:
for relationship in relationships:
if isinstance(relationship,MalwareSubjectRelationship):
self.relationships.append(relationship)
self.minor_variants = MinorVariants()
if minor_variants is not None:
for minor_variant in minor_variants:
self.minor_variants.append(minor_variant)
self.label=[]
if labels is not None:
for label in labels:
self.label.append(VocabString(label))
self.findings_bundles = FindingsBundleList()
if findings_bundles is not None and isinstance(findings_bundles,FindingsBundleList):
self.findings_bundles = findings_bundles
self.development_environment = development_environment
self.configuration_details =configuration_details
self.compatible_platform =compatible_platform
self.analyses = analyses
class MaecMalwareSubject(MalwareSubject):
def __init__(self,id=None,namespace=None,malware_instance_object_attributes=None,relationships=None,minor_variants=None,labels=None,findings_bundles=None,
development_environment=None,configuration_details=None,compatible_platform=None,analyses=None):
super(MaecMalwareSubject, self).__init__(id=id,malware_instance_object_attributes=malware_instance_object_attributes)
if id is None and namespace is not None:
set_id_method(IDGenerator.METHOD_UUID)
set_id_namespace(namespace)
self.id_ = create_id(prefix="malware_subject")
self.relationships =MalwareSubjectRelationshipList()
if relationships is not None:
for relationship in relationships:
if isinstance(relationship,MalwareSubjectRelationship):
self.relationships.append(relationship)
self.minor_variants = MinorVariants()
if minor_variants is not None:
for minor_variant in minor_variants:
self.minor_variants.append(minor_variant)
self.label=[]
if labels is not None:
for label in labels:
self.label.append(VocabString(label))
self.findings_bundles = FindingsBundleList()
if findings_bundles is not None and isinstance(findings_bundles,FindingsBundleList):
self.findings_bundles = findings_bundles
self.development_environment = development_environment
self.configuration_details =configuration_details
self.compatible_platform =compatible_platform
self.analyses = analyses
def addlabel(self,label=None):
self.label.append(VocabString(label))
def addmalwareinstanceobjectattributes(self,malware_instance_object_attributes=None):
self.set_malware_instance_object_attributes(malware_instance_object_attributes=malware_instance_object_attributes)
def addconfigurationdeatails(self,configuration_details):
if isinstance(configuration_details,MalwareConfigurationDetails):
self.configuration_details =configuration_details
def addminorvariant(self,minor_variant=None):
self.minor_variants.append(minor_variant)
def addcompatibleplatform(self,compatible_platform=None):
self.compatible_platform = compatible_platform
def addrelationship(self,relationship=None):
self.relationships.append(relationship)
def addbundleinfindingbundles(self,bundle=None):
self.add_findings_bundle(bundle)
def addmetaanalysisinfindingbundles(self,meta_analysis):
self.findings_bundles.meta_analysis=meta_analysis
def addexternalreferenceinfindingbundles(self,external_reference):
self.findings_bundles.add_bundle_external_reference(external_reference)
def createfindingbundlesmetaanalysis(self,object_equivalences=None,action_equivalences=None):
meta_analysis = MetaAnalysis()
meta_analysis.object_equivalences =ObjectEquivalenceList()
if object_equivalences is not None:
for object_equivalence in object_equivalences :
meta_analysis.object_equivalences.append(object_equivalence)
meta_analysis.action_equivalences = ActionEquivalenceList()
if action_equivalences is not None:
for action_equivalence in action_equivalences:
meta_analysis.action_equivalences.append(action_equivalence)
return meta_analysis
def createfindingbundlesmetaanalysisobjectequivalence(self,id=None,object_references=None):
object_equivalence = ObjectEquivalence()
object_equivalence.id_ =id
object_equivalence.object_reference=object_references
return object_equivalence
def createfindingbundlesmetaanalysisobjectequivalencereference(self,object_idref=None):
#unresolved library bug
reference = ObjectReference()
reference.object_idref =object_idref
return reference
def createfindingbundlesmetaanalysisactionequivalence(self,action_references=None):
action_equivalence = ActionEquivalence()
action_equivalence.action_reference=action_references
return action_equivalence
def createfindingbundlesmetaanalysisactionequivalencereference(self,action_id=None):
return ActionReference(action_id=action_id)
def createrelationship(self,type=None,malware_subject_reference=None):
relationship= MalwareSubjectRelationship()
relationship.type_ = VocabString(value=type)
relationship.malware_subject_reference=malware_subject_reference
return relationship
def createrelationshipreference(self,malware_subject_idref=None):
reference = MalwareSubjectReference()
reference.malware_subject_idref = malware_subject_idref
return reference
def createcompatibleplatform(self,description=None,identifiers=None):
platform = PlatformSpecification()
if description is not None:
platform.description= StructuredText(value=description)
if not identifiers is None:
for identifier in identifiers:
platform.identifiers.append(identifier)
return platform
def createcompatibleplatformidentifier(self,system=None,system_ref =None):
identifier = PlatformIdentifier()
identifier.system =system
identifier.system_ref =system_ref
return identifier
def createconfigurationdetails(self,storage=None,obfuscation=None,configuration_parameter=None):
configuration_details = MalwareConfigurationDetails()
configuration_details.storage =storage
configuration_details.obfuscation = obfuscation
configuration_details.configuration_parameter = configuration_parameter
return configuration_details
def createconfigurationdetailsstorage(self,malware_binary=None,url=None,file=None):
storage = MalwareConfigurationStorageDetails()
storage.url =url
storage.malware_binary = malware_binary
storage.file =file
return storage
def createconfigurationdetailsstoragemalwarebinary(self,section_offset=None,section_name=None,file_offset=None):
malware_binary = MalwareBinaryConfigurationStorageDetails()
malware_binary.section_offset = section_offset
malware_binary.section_name = section_name
malware_binary.file_offset = file_offset
return malware_binary
def createconfigurationdetailsobfuscation(self,is_encrypted=None,is_encoded=None,algorithm_details=None):
obfuscation = MalwareConfigurationObfuscationDetails()
obfuscation.is_encrypted=is_encrypted
obfuscation.is_encoded = is_encoded
if algorithm_details is not None:
for algorithm in algorithm_details:
if isinstance(algorithm,MalwareConfigurationObfuscationAlgorithm):
obfuscation.algorithm_details.append(algorithm)
return obfuscation
def createconfigurationdetailsobfuscationalgorithm(self,ordinal_position=None,key=None,algorithm_name=None):
algorithm = MalwareConfigurationObfuscationAlgorithm()
algorithm.ordinal_position = ordinal_position
algorithm.key = key
algorithm.algorithm_name = algorithm_name
return algorithm
def createconfigurationdetailsconfparameter(self,value=None,name=None):
configuration_parameter = MalwareConfigurationParameter()
configuration_parameter.name=VocabString(name)
configuration_parameter.value =value
return configuration_parameter
def adddevelopmentenvironment(self,development_environment=None):
self.development_environment=development_environment
def createdevelopmentenvironment(self,debugging_file=None,tools=None):
development_environment = MalwareDevelopmentEnvironment()
development_environment.tools = tools
development_environment.debugging_file=debugging_file
return development_environment
def merge_binned_malware_subjects(merged_malware_subject, binned_list,
id_mappings_dict):
'''Merge a list of input binned (related) Malware Subjects'''
# Merge the Malware_Instance_Object_Attributes
mal_inst_obj_list = [
x.malware_instance_object_attributes for x in binned_list
]
merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list))
# Give the merged Object a new ID
merged_inst_obj.id_ = idgen.create_id('object')
# Deduplicate the hash values, if they exist
if merged_inst_obj.properties and merged_inst_obj.properties.hashes:
hashes = merged_inst_obj.properties.hashes
hashes = HashList(
deduplicate_vocabulary_list(hashes,
value_name='simple_hash_value'))
hashes = HashList(
deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value'))
merged_inst_obj.properties.hashes = hashes
# Merge and deduplicate the labels
merged_labels = list(
itertools.chain(*[x.label for x in binned_list if x.label]))
deduplicated_labels = deduplicate_vocabulary_list(merged_labels)
# Merge the configuration details
config_details_list = [
x.configuration_details for x in binned_list if x.configuration_details
]
merged_config_details = None
if config_details_list:
merged_config_details = MalwareConfigurationDetails.from_dict(
merge_entities(config_details_list))
# Merge the minor variants
merged_minor_variants = list(
itertools.chain(
*[x.minor_variants for x in binned_list if x.minor_variants]))
# Merge the field data # TODO: Add support. Not implemented in the APIs.
# Merge the analyses
merged_analyses = list(
itertools.chain(*[x.analyses for x in binned_list if x.analyses]))
# Merge the findings bundles
merged_findings_bundles = merge_findings_bundles(
[x.findings_bundles for x in binned_list if x.findings_bundles])
# Merge the relationships
merged_relationships = list(
itertools.chain(
*[x.relationships for x in binned_list if x.relationships]))
# Merge the compatible platforms
merged_compatible_platforms = list(
itertools.chain(*[
x.compatible_platform for x in binned_list if x.compatible_platform
]))
# Build the merged Malware Subject
merged_malware_subject.malware_instance_object_attributes = merged_inst_obj
if deduplicated_labels: merged_malware_subject.label = deduplicated_labels
if merged_config_details:
merged_malware_subject.configuration_details = merged_config_details
if merged_minor_variants:
merged_malware_subject.minor_variants = MinorVariants(
merged_minor_variants)
if merged_analyses:
merged_malware_subject.analyses = Analyses(merged_analyses)
if merged_findings_bundles:
merged_malware_subject.findings_bundles = merged_findings_bundles
if merged_relationships:
merged_malware_subject.relationships = MalwareSubjectRelationshipList(
merged_relationships)
if merged_compatible_platforms:
merged_malware_subject.compatible_platform = merged_compatible_platforms
