def _create_observables(self, msg):
o = Observables(self.__parse_email_message(msg))
t = ToolInformation()
t.name = os.path.basename(__file__)
t.description = StructuredText("Email to CybOX conversion script")
t.vendor = "The MITRE Corporation"
t.version = __version__
t_list = ToolInformationList()
t_list.append(t)
m = MeasureSource()
m.tools = t_list
o.observable_package_source = m
return o
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
"B6C39FF68346DCC8B67AA060DEFE40C2")
ms.malware_instance_object_attributes.properties.add_hash(
"D55B0FB96FAD96D203D10850469489FC03E6F2F7")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "ThreatExpert"
t.vendor = "ThreatExpert"
a.add_tool(t)
# Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings
b.defined_subject = False
b.content_type = "dynamic analysis tool output"
# Create the first, create file action
act1 = MalwareAction()
act1.name = "create file"
act1.name.xsi_type = "FileActionNameVocab-1.1"
act1.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinExecutableFile()
o1.properties.file_name = "Zcxaxz.exe"
o1.properties.size_in_bytes = "332288"
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "251904"
ms.malware_instance_object_attributes.properties.add_hash(
"5247001dafe411802b1a40e763d9a221")
ms.malware_instance_object_attributes.properties.add_hash(
"7ff89166e226845e9fc52cb711eb5b37d004a0e5")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "Anubis"
t.vendor = "ISECLab"
a.add_tool(t)
# Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings
b.defined_subject = False
b.content_type = "dynamic analysis tool output"
# Create the create file action initiated by the root process
act1 = MalwareAction()
act1.name = "create file"
act1.name.xsi_type = "FileActionNameVocab-1.1"
act1.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinExecutableFile()
o1.properties.file_name = "Zcxaxz.exe"
o1.properties.size_in_bytes = "332288"
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "251904"
ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221")
ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "Anubis"
t.vendor = "ISECLab"
a.add_tool(t)
# Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings
b.defined_subject = False
b.content_type = "dynamic analysis tool output"
# Create the create file action initiated by the root process
act1 = MalwareAction()
act1.name = "create file"
act1.name.xsi_type = "FileActionNameVocab-1.1"
act1.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinExecutableFile()
o1.properties.file_name = "Zcxaxz.exe"
o1.properties.size_in_bytes = "332288"
maec.utils.set_id_namespace(NS)
# インスタンス化:Bundle, Package, MalwareSubject, Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "APIMonitor"
t.vendor = "APIMonitor"
analysis.add_tool(t)
# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
subject_object = Object() #オブジェクト
subject_object.properties = File() #ファイルオブジェクト
subject_object.properties.file_name = 'seminor.doc' # ファイル名(マルウェアを含んだファイル)
subject_object.properties.size_in_bytes = '154173' #ファイルサイズ
subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964")
# 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定
subject.set_malware_instance_object_attributes(subject_object)
# Actionで使うための関連オブジェクトのディクショナリーを作成
def associated(name,path,byte,value="output"):
associated_object = AssociatedObject()
maec.utils.set_id_namespace(NS)
# インスタンス化:Bundle, Package, MalwareSubject, Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "CapLogger"
t.vendor = "CapLogger"
analysis.add_tool(t)
# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
subject_object = Object() #オブジェクト
subject_object.properties = File() #ファイルオブジェクト
subject_object.properties.file_name = 'ShinoBOT.exe' # ファイル名(マルウェアを含んだファイル)
subject_object.properties.file_extension = "exe"
subject_object.properties.size_in_bytes = '154173' #ファイルサイズ
subject_object.properties.add_hash("54CC941747FA99A3521314B9969D4964")
# 辞書から構築されたオブジェクトとマルウェアインスタンスオブジェクト属性を設定
subject.set_malware_instance_object_attributes(subject_object)
# Actionで使うための関連オブジェクトのディクショナリーを作成
def associated(name,path,byte,value="output"):
