def _add_stix_ttp(self, malware_subject): """Create and add a STIX TTP for a MAEC Malware Subject. Args: malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created. Returns: The ID of the newly created STIX TTP. """ # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() # Add a MAEC Package with just the Malware Subject # For capturing the identity of the malware binary that the Indicators target maec_package = Package() new_malware_subject = MalwareSubject() new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes maec_package.add_malware_subject(new_malware_subject) maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package ttp.behavior.add_malware_instance(maec_malware_instance) self.stix_package.add_ttp(ttp) return ttp.id_
def generate_package_from_parser(input_parser, options=None): # Parse the file and perform the translation into MAEC input_parser.parse_document() # Create the MAEC Package package = Package() # Get the Malware Subject malware_subject = input_parser.malware_subject # Check for the existence of the options structure and if any are set # If so, perform the appropriate actions if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() # Add the Malware Subject package.add_malware_subject(malware_subject) return package
# Code for MAEC Related Malware Idiom from maec.package.package import Package from maec.package.malware_subject import (MalwareSubject, MalwareSubjectRelationship, MalwareSubjectRelationshipList, MalwareSubjectReference) from cybox.common import VocabString from cybox.core import Object from cybox.objects.file_object import File # Set up the necessary Package and Malware Subject instances p = Package() ms1 = MalwareSubject() ms2 = MalwareSubject() ms3 = MalwareSubject() ms4 = MalwareSubject() # Set the Malware_Instance_Object_Attributes on the first Malware Subject ms1.malware_instance_object_attributes = Object() ms1.malware_instance_object_attributes.properties = File() ms1.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe" ms1.malware_instance_object_attributes.properties.size_in_bytes = "196608" ms1.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") # Set the Malware_Instance_Object_Attributes on the second Malware Subject ms2.malware_instance_object_attributes = Object() ms2.malware_instance_object_attributes.properties = File() ms2.malware_instance_object_attributes.properties.file_name = "msvcr.dll" # Set the Malware_Instance_Object_Attributes on the third Malware Subject ms3.malware_instance_object_attributes = Object() ms3.malware_instance_object_attributes.properties = File() ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe"
def __init__(self, pefile_parser): self.pefile_parser = pefile_parser NS = Namespace("http://code.google.com/p/pefile/", "pefile") maec.utils.set_id_namespace(NS) self.package = Package() self.generate_maec()