def create_maec(inputfile, outpath, verbose_error_mode):
if os.path.isfile(inputfile):
#Create the main parser object
parser = gparser.parser()
try:
open_file = parser.open_file(inputfile)
if not open_file:
print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.')
return
#Parse the file to get the actions and processes
parser.parse_document()
#Create the MAEC package
package = Package()
#Add the analysis
package.add_malware_subject(parser.malware_subject)
#Finally, Export the results
package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"})
print "Wrote to " + outpath
except Exception, err:
print('\nError: %s\n' % str(err))
if verbose_error_mode:
traceback.print_exc()
def merge_packages(package_list, namespace = None):
'''Merge a list of input MAEC Packages and return a merged Package instance.'''
malware_subjects = []
# Instantiate the ID generator class (for automatic ID generation)
if not namespace:
NS = Namespace("https://github.com/MAECProject/python-maec", "merged")
else:
NS = namespace
maec.utils.set_id_namespace(NS)
# Build the list of Malware Subjects
for package in package_list:
for malware_subject in package.malware_subjects:
malware_subjects.append(malware_subject)
# Merge the Malware Subjects
merged_subjects = merge_malware_subjects(malware_subjects)
# Merge the input namespace/schemaLocation dictionaries
merged_namespaces = {}
merged_schemalocations = {}
for package in package_list:
merged_namespaces.update(package.__input_namespaces__)
merged_schemalocations.update(package.__input_schemalocations__)
# Create a new Package with the merged Malware Subjects
merged_package = Package()
merged_package.malware_subjects = MalwareSubjectList(merged_subjects)
merged_package.__input_namespaces__ = merged_namespaces
merged_package.__input_schemalocations__ = merged_schemalocations
return merged_package
def generate_package_from_parser(input_parser, options=None, from_md5=False):
"""Take a populated ThreatExpert parser object and return a MAEC package object."""
try:
# Parse the file to get the actions and processes
input_parser.parse_document()
except:
if from_md5:
raise Exception("Fetched document is not a valid ThreatExpert report. It is likely that this file has never been reported to ThreatExpert.")
else:
raise Exception("Input document is not a valid ThreatExpert report.")
# Create the MAEC Package
package = Package()
# Add the namespace to the package
package.__input_namespaces__["ThreatExpertToMAEC"] = "https://github.com/MAECProject/threatexpert-to-maec"
# Add the analysis
for malware_subject in input_parser.maec_subjects:
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
package.add_malware_subject(malware_subject)
return package
def maec_s(maecs):
print "maec"
maec_obj = package_binding.parse(maecs)
obs = Package.from_obj(maec_obj)
pac = Package(obs)
dic = pac.to_dict()
print "name:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["name"]
print "pid:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["pid"]
print "spawned_process:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["spawned_process"]
print "id:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["id"]
def _maec_from_dict(cls, d):
if _MAEC_INSTALLED:
return maecPackage.from_dict(d)
raise ValueError(
"Unable to parse 'maec' value in dictionary. Please " "install python-maec to parse dictionary value."
)
def test_maec_wrapped_in_stix(self):
maec_package = Package.from_xml(self._maec_package)[0]
stix_package = wrap_maec(maec_package)
stix_ttp = stix_package.ttps[0]
malware_instances = stix_ttp.behavior.malware_instances
wrapped_maec_package = malware_instances[0].maec
self.assertEqual(wrapped_maec_package.to_xml(include_namespaces=False,pretty=False),
self._wrapped_maec_package)
def _maec_from_dict(cls, d):
if _MAEC_INSTALLED:
return maecPackage.from_dict(d)
raise ValueError(
"Unable to parse 'maec' value in dictionary. Please "
"install python-maec to parse dictionary value."
)
def merge_packages(package_list, output_file):
'''Merge a list of input MAEC Packages and write them to an output Package file'''
malware_subjects = []
# Instantiate the ID generator class (for automatic ID generation)
NS = Namespace("https://github.com/MAECProject/python-maec", "merged")
maec.utils.set_id_namespace(NS)
# Build the list of Malware Subjects
for package in package_list:
for malware_subject in package.malware_subjects:
malware_subjects.append(malware_subject)
# Merge the Malware Subjects
merged_subjects = merge_malware_subjects(malware_subjects)
# Create a new Package with the merged Malware Subjects
merged_package = Package()
merged_package.malware_subjects = MalwareSubjectList(merged_subjects)
# Write the Package to the output file
merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def create_maec(inputfile, outpath, verbose_error_mode, options):
if os.path.isfile(inputfile):
#Create the main parser object
parser = anparser.parser()
try:
open_file = parser.open_file(inputfile)
if not open_file:
print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.')
return
#Parse the file to get the actions and processes
parser.parse_document()
#Create the MAEC package
package = Package()
#Add the analysis
for subject in parser.maec_subjects:
package.add_malware_subject(subject)
if options:
if options.normalize_bundles:
subject.normalize_bundles()
if options.deduplicate_bundles:
subject.deduplicate_bundles()
if options.dereference_bundles:
subject.dereference_bundles()
##Finally, Export the results
package.to_xml_file(outpath,
{"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"})
print "Wrote to " + outpath
except Exception, err:
print('\nError: %s\n' % str(err))
if verbose_error_mode:
traceback.print_exc()
def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def from_obj(cls, obj):
if not obj:
return None
return_obj = cls()
if _MAEC_INSTALLED:
obj.MAEC = maecPackage.from_obj(obj.MAEC)
else:
obj.MAEC = obj.MAEC
return_obj = super(MAECInstance, cls).from_obj(obj)
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(MAECInstance, cls).from_obj(obj, return_obj)
if _MAEC_INSTALLED:
return_obj.maec = maecPackage.from_obj(obj.MAEC)
else:
return_obj.maec = obj.MAEC
return return_obj
def from_obj(cls, obj, return_obj=None):
if not obj:
return None
if not return_obj:
return_obj = cls()
super(MAECInstance, cls).from_obj(obj, return_obj)
if _MAEC_INSTALLED:
return_obj.maec = maecPackage.from_obj(obj.MAEC)
else:
return_obj.maec = obj.MAEC
return return_obj
def generate_package_from_parser(input_parser, options=None):
# Parse the file and perform the translation into MAEC
input_parser.parse_document()
# Create the MAEC Package
package = Package()
# Get the Malware Subject
malware_subject = input_parser.malware_subject
# Check for the existence of the options structure and if any are set
# If so, perform the appropriate actions
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
# Add the Malware Subject
package.add_malware_subject(malware_subject)
return package
def generate_package_from_parser(input_parser, options=None):
# Parse the file and perform the translation into MAEC
input_parser.parse_document()
# Create the MAEC Package
package = Package()
# Get the Malware Subject
malware_subject = input_parser.malware_subject
# Check for the existence of the options structure and if any are set
# If so, perform the appropriate actions
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
# Add the Malware Subject
package.add_malware_subject(malware_subject)
return package
def parse_xml(self, xml_file, check_version=True):
"""Creates a python-maec Bundle or Package object from the supplied xml_file.
Arguments:
xml_file -- A filename/path or a file-like object reprenting a MAEC instance (i.e. Package or Bundle) document
check_version -- Inspect the version before parsing.
"""
parser = etree.ETCompatXMLParser(huge_tree=True, resolve_entities=False)
tree = etree.parse(xml_file, parser=parser)
api_obj = None
binding_obj = self.parse_xml_to_obj(xml_file, check_version)
if self.is_package:
from maec.package.package import Package # resolve circular dependencies
api_obj = Package.from_obj(binding_obj)
elif self.is_bundle:
from maec.bundle.bundle import Bundle # resolve circular dependencies
api_obj = Bundle.from_obj(binding_obj)
self._apply_input_namespaces(tree, api_obj)
return api_obj
def generate_oval(self):
#Basic input file checking
if os.path.isfile(self.infilename):
#Try parsing the MAEC file with both bindings
package_obj = package_binding.parse(self.infilename)
bundle_obj = bundle_binding.parse(self.infilename)
try:
sys.stdout.write('Generating ' + self.outfilename + ' from ' + self.infilename + '...')
#Test whether the input is a Package or Bundle and process accordingly
if bundle_obj.hasContent_():
maec_bundle = Bundle.from_obj(bundle_obj)
self.process_bundle(maec_bundle)
elif package_obj.hasContent_():
maec_package = Package.from_obj(package_obj)
for malware_subject in maec_package.malware_subjects:
for maec_bundle in malware_subject.findings_bundles.bundles:
self.process_bundle(maec_bundle)
#Build up the OVAL document from the parsed data and corresponding objects
self.__build_oval_document()
if len(self.converted_ids) > 0:
#Export to the output file
outfile = open(self.outfilename, 'w')
self.ovaldefroot.export(outfile, 0, namespacedef_='xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/version5.7/ovaldefinition/complete/windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-common-schema.xsd"')
sys.stdout.write('Done\n')
else:
sys.stdout.write('no OVAL output written; 0 actions were converted.\n')
if self.stat_mode:
print '\n**Converted Actions**'
for action_id in self.converted_ids:
print 'Action ' + action_id + ' converted successfully'
print '**Skipped Actions**'
for action_id in self.skipped_actions:
print 'Action ' + action_id + ' skipped; incompatible action/object type or missing object attributes'
except Exception, err:
print('\nError: %s\n' % str(err))
if self.verbose_mode:
traceback.print_exc()
def from_dict(cls, d, return_obj=None):
if not d:
return None
if not return_obj:
return_obj = cls()
super(MAECInstance, cls).from_dict(d, return_obj)
if 'maec' in d:
maec = d['maec']
if isinstance(maec, dict):
if not _MAEC_INSTALLED:
raise ValueError(
"Unable to parse 'maec' value in dictionary. Please "
"install python-maec to parse dictionary value.")
return_obj.maec = maecPackage.from_dict(maec)
else:
parser = stix.utils.parser.get_xml_parser()
return_obj.maec = etree.parse(StringIO(maec), parser=parser)
return return_obj
def from_dict(cls, d, return_obj=None):
if not d:
return None
if not return_obj:
return_obj = cls()
super(MAECInstance, cls).from_dict(d, return_obj)
if 'maec' in d:
maec = d['maec']
if isinstance(maec, dict):
if not _MAEC_INSTALLED:
raise ValueError(
"Unable to parse 'maec' value in dictionary. Please "
"install python-maec to parse dictionary value."
)
return_obj.maec = maecPackage.from_dict(maec)
else:
parser = stix.utils.parser.get_xml_parser()
return_obj.maec = etree.parse(StringIO(maec), parser=parser)
return return_obj
def test_positive_stix_indicators(self):
maec_package = Package.from_xml(self._maec_package_positive)[0]
extractor = IndicatorExtractor(maec_package)
stix_package = extractor.extract()
self.assertEquals(len(stix_package.indicators), 4)
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.process_tree import ProcessTree, ProcessTreeNode
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.common import ToolInformation, VocabString
# サンプルの名前空間に(自動ID生成用の)IDジェネレータクラスをインスタンス化
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# インスタンス化:Bundle, Package, MalwareSubject, Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "APIMonitor"
t.vendor = "APIMonitor"
analysis.add_tool(t)
# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
subject_object = Object() #オブジェクト
def test_stix_ttp_malware_instances(self):
maec_package = Package.from_xml(self._maec_package)[0]
stix_package = wrap_maec(maec_package)
stix_ttp = stix_package.ttps[0]
malware_instances = stix_ttp.behavior.malware_instances
self.assertEquals(len(malware_instances), 1)
# Code for MAEC In-depth Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
def test_stix_ttp(self):
maec_package = Package.from_xml(self._maec_package)[0]
stix_package = wrap_maec(maec_package)
self.assertEquals(len(stix_package.ttps), 1)
# Code for MAEC In-depth Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
"B6C39FF68346DCC8B67AA060DEFE40C2")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
class PefileToMAEC(object):
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
def create_object_dict(self, properties_dict):
object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict}
return object_dict
def populate(self, entry_dict, static_bundle, malware_subject=None):
if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
file_dict = self.create_object_dict(entry_dict['file'])
if malware_subject:
malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
# Add the hashes for the Malware Instance Object Attributes
data = open(self.pefile_parser.infile, 'rb').read()
if data:
md5_hash = hashlib.md5(data).hexdigest()
sha1_hash = hashlib.sha1(data).hexdigest()
malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
else:
static_bundle.add_object(Object.from_dict(file_dict))
if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
pe_dict = self.create_object_dict(entry_dict['pe'])
static_bundle.add_object(Object.from_dict(pe_dict))
def generate_analysis(self, static_bundle):
analysis = Analysis()
analysis.type = 'triage'
analysis.method = 'static'
analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
'vendor': 'Ero Carrera',
'name': 'pefile'}))
findings_bundle_reference = []
if self.bundle_has_content(static_bundle):
findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
analysis.findings_bundle_reference = findings_bundle_reference
return analysis
def bundle_has_content(self, bundle):
if bundle.actions and len(bundle.actions) > 0:
return True
if bundle.objects and len(bundle.objects) > 0:
return True
if bundle.behaviors and len(bundle.behaviors) > 0:
return True
return False
def generate_malware_subjects(self):
entry_dict = self.pefile_parser.entry_dict
malware_subject = MalwareSubject()
entry_dict['id'] = malware_subject
static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
self.populate(entry_dict, static_bundle, malware_subject)
malware_subject.add_analysis(self.generate_analysis(static_bundle))
if self.bundle_has_content(static_bundle):
malware_subject.add_findings_bundle(static_bundle)
self.package.add_malware_subject(malware_subject)
def generate_maec(self):
self.generate_malware_subjects()
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object
from cybox.core.associated_object import AssociatedObject
#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
#Add the Malware Subject to the Package
def test_positive_stix_indicators(self):
maec_package = Package.from_xml(self._maec_package_positive)[0]
extractor = IndicatorExtractor(maec_package)
stix_package = extractor.extract()
self.assertEquals(len(stix_package.indicators), 4)
def test_negative_stix_indicators(self):
maec_package = Package.from_xml(self._maec_package_negative)[0]
extractor = IndicatorExtractor(maec_package)
stix_package = extractor.extract()
self.assertEquals(stix_package, None)
# Code for MAEC Related Malware Idiom
from maec.package.package import Package
from maec.package.malware_subject import (MalwareSubject, MalwareSubjectRelationship,
MalwareSubjectRelationshipList, MalwareSubjectReference)
from cybox.common import VocabString
from cybox.core import Object
from cybox.objects.file_object import File
# Set up the necessary Package and Malware Subject instances
p = Package()
ms1 = MalwareSubject()
ms2 = MalwareSubject()
ms3 = MalwareSubject()
ms4 = MalwareSubject()
# Set the Malware_Instance_Object_Attributes on the first Malware Subject
ms1.malware_instance_object_attributes = Object()
ms1.malware_instance_object_attributes.properties = File()
ms1.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms1.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms1.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
# Set the Malware_Instance_Object_Attributes on the second Malware Subject
ms2.malware_instance_object_attributes = Object()
ms2.malware_instance_object_attributes.properties = File()
ms2.malware_instance_object_attributes.properties.file_name = "msvcr.dll"
# Set the Malware_Instance_Object_Attributes on the third Malware Subject
ms3.malware_instance_object_attributes = Object()
ms3.malware_instance_object_attributes.properties = File()
ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe"
from cybox.objects.file_object import File
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from cybox.utils import Namespace
import maec.utils
# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = "foobar.exe"
subject_object.properties.size_in_bytes = "35532"
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = "abcd.dll"
def test_negative_stix_indicators(self):
maec_package = Package.from_xml(self._maec_package_negative)[0]
extractor = IndicatorExtractor(maec_package)
stix_package = extractor.extract()
self.assertEquals(stix_package, None)
def vt_report_to_maec_package(vt_report_input, options = None):
"""Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
maec.utils.set_id_namespace(NS)
package = Package()
# if only one result, make it a list of one result
if type(vt_report_input) != list:
vt_report_list = [vt_report_input]
else:
vt_report_list = vt_report_input
for idx, vt_report in enumerate(vt_report_list):
# if VirusTotal has never seen this MD5
if vt_report["response_code"] == 0:
sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
sys.stderr.flush();
continue
if vt_report["response_code"] == -1:
sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
vt_report.get("verbose_message", "no message provided") + "\n")
sys.stderr.flush();
continue
malware_subject = MalwareSubject()
# create the file object and add hashes
file_dict = {}
file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
file_dict['hashes'] = [
{'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
{'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
{'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
]
# set the object as the defined object
object_dict = {}
object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
object_dict['properties'] = file_dict
# bind the object to the malware subject object
malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
# create the analysis and add it to the subject
analysis = Analysis()
analysis.type_ = 'triage'
analysis.method = 'static'
analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
'vendor' : 'VirusTotal',
'name' : 'VirusTotal' }))
malware_subject.add_analysis(analysis)
bundle_obj = Bundle()
for vendor, scan in vt_report["scans"].items():
if scan["result"] is not None:
bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
# add bundle to subject, bundle to analysis, and subject to package
malware_subject.add_findings_bundle(bundle_obj)
analysis.set_findings_bundle(bundle_obj.id_)
package.add_malware_subject(malware_subject)
package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
return package
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
class PefileToMAEC(object):
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
def create_object_dict(self, properties_dict):
object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict}
return object_dict
def populate(self, entry_dict, static_bundle, malware_subject=None):
if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
file_dict = self.create_object_dict(entry_dict['file'])
if malware_subject:
malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
# Add the hashes for the Malware Instance Object Attributes
data = open(self.pefile_parser.infile, 'rb').read()
if data:
md5_hash = hashlib.md5(data).hexdigest()
sha1_hash = hashlib.sha1(data).hexdigest()
malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
else:
static_bundle.add_object(Object.from_dict(file_dict))
if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
pe_dict = self.create_object_dict(entry_dict['pe'])
static_bundle.add_object(Object.from_dict(pe_dict))
def generate_analysis(self, static_bundle):
analysis = Analysis()
analysis.type = 'triage'
analysis.method = 'static'
analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
'vendor': 'Ero Carrera',
'name': 'pefile'}))
findings_bundle_reference = []
if self.bundle_has_content(static_bundle):
findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
analysis.findings_bundle_reference = findings_bundle_reference
return analysis
def bundle_has_content(self, bundle):
if bundle.actions and len(bundle.actions) > 0:
return True
if bundle.objects and len(bundle.objects) > 0:
return True
if bundle.behaviors and len(bundle.behaviors) > 0:
return True
return False
def generate_malware_subjects(self):
entry_dict = self.pefile_parser.entry_dict
malware_subject = MalwareSubject()
entry_dict['id'] = malware_subject
static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
self.populate(entry_dict, static_bundle, malware_subject)
malware_subject.add_analysis(self.generate_analysis(static_bundle))
if self.bundle_has_content(static_bundle):
malware_subject.add_findings_bundle(static_bundle)
self.package.add_malware_subject(malware_subject)
def generate_maec(self):
self.generate_malware_subjects()
