def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def generate_package_from_parser(input_parser, options=None):
# Parse the file and perform the translation into MAEC
input_parser.parse_document()
# Create the MAEC Package
package = Package()
# Get the Malware Subject
malware_subject = input_parser.malware_subject
# Check for the existence of the options structure and if any are set
# If so, perform the appropriate actions
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
# Add the Malware Subject
package.add_malware_subject(malware_subject)
return package
# Code for MAEC Related Malware Idiom
from maec.package.package import Package
from maec.package.malware_subject import (MalwareSubject, MalwareSubjectRelationship,
MalwareSubjectRelationshipList, MalwareSubjectReference)
from cybox.common import VocabString
from cybox.core import Object
from cybox.objects.file_object import File
# Set up the necessary Package and Malware Subject instances
p = Package()
ms1 = MalwareSubject()
ms2 = MalwareSubject()
ms3 = MalwareSubject()
ms4 = MalwareSubject()
# Set the Malware_Instance_Object_Attributes on the first Malware Subject
ms1.malware_instance_object_attributes = Object()
ms1.malware_instance_object_attributes.properties = File()
ms1.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms1.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms1.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
# Set the Malware_Instance_Object_Attributes on the second Malware Subject
ms2.malware_instance_object_attributes = Object()
ms2.malware_instance_object_attributes.properties = File()
ms2.malware_instance_object_attributes.properties.file_name = "msvcr.dll"
# Set the Malware_Instance_Object_Attributes on the third Malware Subject
ms3.malware_instance_object_attributes = Object()
ms3.malware_instance_object_attributes.properties = File()
ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe"
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
