Python Malware Examples

Example #1

def test_malware_creation():
    """Tests the creation of a single malware."""
    mal = Malware(name='Gootkit')
    assert mal.id is None
    mal = mal.save()
    assert isinstance(mal, Malware)
    assert mal.id is not None

Example #2

def populate_malware():
    m1 = Malware(name='Gootkit').save()
    m1.family = ['banker', 'trojan']
    m1.save()
    m2 = Malware(name='Sofacy').save()
    m2.family = ['trojan']
    m2.save()
    return [m1, m2]

Example #3

def populate_malware():
    malware = []
    m1 = Malware(name='Gootkit', labels=['banker']).save()
    malware.append(m1)
    m2 = Malware(name='Sofacy', labels=['apt']).save()
    malware.append(m2)
    m3 = Malware(name='Zeus', labels=['trojan']).save()
    malware.append(m3)
    return malware

Example #4

def clean_db():
    # pylint: disable=protected-access
    # We need to access the collections to make sure they are in the cache
    Entity._get_collection()
    Malware._get_collection()
    Observable._get_collection()
    Hostname._get_collection()
    Tag._get_collection()
    Vocabs._get_collection()
    db.clear()

Example #5

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_update_malware():
    """Tests that a Malware object is succesfully updated."""
    kc_phases = [{'kill_chain_name': 'cyber', 'phase_name': 'cyber1'}]
    malware = Malware(name='asd',
                      labels=['label1'],
                      description='123',
                      kill_chain_phases=kc_phases)
    malware.save()
    modified = malware.modified
    stix_id = malware.id
    updated = malware.update({'name': 'dsa'})
    assert updated.name == 'dsa'
    assert updated.description == '123'
    assert updated.kill_chain_phases == kc_phases
    assert malware.modified > modified
    assert updated.id == stix_id

Example #6

File: taxii_import_test.py Project: yeti-platform/TibetanBrownBear

def test_malware_import():
    """Tests the importing the result of MTIRE's TAXII information."""
    malware = Malware.from_stix_object(MITRE_MALWARE).save()
    # pylint: disable=protected-access
    assert malware._stix_object is not None
    assert isinstance(malware._stix_object, StixMalware)
    assert malware.type == 'malware'
    assert malware.id == 'malware--79499993-a8d6-45eb-b343-bf58dea5bdde'
    assert malware.created_by_ref == 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5'
    assert str(malware.created) == '2018-04-18 17:59:24.739000+00:00'
    assert str(malware.modified) == '2018-04-18 17:59:24.739000+00:00'
    assert malware.name == 'Briba'
    assert malware.description == 'Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)\n\nAliases: Briba'
    assert malware.labels == ['malware']
    assert malware.external_references == [
        {
            'source_name': 'mitre-attack',
            'url': 'https://attack.mitre.org/wiki/Software/S0204',
            'external_id': 'S0204'
        },
        {
            'source_name': 'Symantec Elderwood Sept 2012',
            'description': 'O\'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.',
            'url': 'http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf'
        },
        {
            'source_name': 'Symantec Briba May 2012',
            'description': 'Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.',
            'url': 'https://www.symantec.com/security%20response/writeup.jsp?docid=2012-051515-2843-99'
        }
    ]
    assert malware.object_marking_refs == ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
    assert malware.get_extended_property('x_mitre_aliases') == ['Briba']

Example #7

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_filter_latest_versions():
    """Tests that filtering only returns latest versions."""
    malware1 = Malware(name='malware1', labels=['label1']).save()
    Malware(name='malware2', labels=['label1']).save()
    malware1.update({'name': 'malware11'})
    assert Malware.filter({'name':
                           'malware1'})[0].modified == malware1.modified
    assert len(Malware.filter({'name': 'malware'})) == 2

Example #8

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_malware_versionning():
    """Tests that a getting a Malware object returns the most recent version."""
    malware = Malware(name='asd', labels=['label1'])
    malware.save()
    stix_id = malware.id
    malware.update({'name': 'dsa'})
    fetched = Malware.get(stix_id)
    assert fetched.id == stix_id
    assert fetched.created < fetched.modified

Example #9

def populate_malware_large():
    malware = []
    for i in range(100):
        malware.append(
            Malware(name=f'Malware{i:03}', labels=['trojan']).save())
    return malware

Example #10

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_malware_creation():
    """Tests the creation of a single Malware object."""
    malware = Malware(name='asd', labels=['label1'])
    # pylint: disable=protected-access
    assert malware._stix_object is not None
    assert isinstance(malware._stix_object, StixMalware)

Example #11

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_malformed_malware():
    """Tests that a Malware object missing fields cannot be created."""
    with pytest.raises(ValidationError):
        Malware(name='asd')

Example #12

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_save_malware():
    """Tests that a Malware object missing fields cannot be created."""
    malware = Malware(name='asd', labels=['label1'])
    saved = malware.save()
    assert saved is not None

Example #13

def test_invalid_malware_family():
    """Tests that malware can't be created with invalid families."""
    with pytest.raises(ValidationError):
        Malware(name="123", family='asd').save()

Example #14

def test_malware_fetch():
    """Tests creating a Malware object and saving it."""
    mal = Malware(name='Gootkit').save()
    fetched_mal = Malware.get(mal.id)
    assert isinstance(fetched_mal, Malware)
    assert fetched_mal.id == mal.id

Example #15

def test_malware_attributes():
    """Tests that a created Malware has all needed attributes."""
    allitems = Malware.list()
    for malware in allitems:
        assert hasattr(malware, 'family')
        assert isinstance(malware.family, list)

Example #16

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_malware_delete():
    malware = Malware(name='asd', labels=['label1']).save()
    malware.update({'name': 'dsa'})
    assert len(Malware.list()) == 1
    malware.delete(all_versions=True)
    assert not Malware.list()

Example #17

File: malware_test.py Project: Darkheir/TibetanBrownBear

def test_all_versions():
    """Tests that a updating malware results in two versions."""
    malware = Malware(name='asd', labels=['label1']).save()
    malware.update({'name': 'dsa'})
    assert len(malware.all_versions()) == 2