def create_maec(inputfile, outpath, verbose_error_mode):
if os.path.isfile(inputfile):
#Create the main parser object
parser = gparser.parser()
try:
open_file = parser.open_file(inputfile)
if not open_file:
print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.')
return
#Parse the file to get the actions and processes
parser.parse_document()
#Create the MAEC package
package = Package()
#Add the analysis
package.add_malware_subject(parser.malware_subject)
#Finally, Export the results
package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"})
print "Wrote to " + outpath
except Exception, err:
print('\nError: %s\n' % str(err))
if verbose_error_mode:
traceback.print_exc()
def generate_package_from_parser(input_parser, options=None, from_md5=False):
"""Take a populated ThreatExpert parser object and return a MAEC package object."""
try:
# Parse the file to get the actions and processes
input_parser.parse_document()
except:
if from_md5:
raise Exception("Fetched document is not a valid ThreatExpert report. It is likely that this file has never been reported to ThreatExpert.")
else:
raise Exception("Input document is not a valid ThreatExpert report.")
# Create the MAEC Package
package = Package()
# Add the namespace to the package
package.__input_namespaces__["ThreatExpertToMAEC"] = "https://github.com/MAECProject/threatexpert-to-maec"
# Add the analysis
for malware_subject in input_parser.maec_subjects:
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
package.add_malware_subject(malware_subject)
return package
def create_maec(inputfile, outpath, verbose_error_mode, options):
if os.path.isfile(inputfile):
#Create the main parser object
parser = anparser.parser()
try:
open_file = parser.open_file(inputfile)
if not open_file:
print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.')
return
#Parse the file to get the actions and processes
parser.parse_document()
#Create the MAEC package
package = Package()
#Add the analysis
for subject in parser.maec_subjects:
package.add_malware_subject(subject)
if options:
if options.normalize_bundles:
subject.normalize_bundles()
if options.deduplicate_bundles:
subject.deduplicate_bundles()
if options.dereference_bundles:
subject.dereference_bundles()
##Finally, Export the results
package.to_xml_file(outpath,
{"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"})
print "Wrote to " + outpath
except Exception, err:
print('\nError: %s\n' % str(err))
if verbose_error_mode:
traceback.print_exc()
def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def _add_stix_ttp(self, malware_subject):
"""Create and add a STIX TTP for a MAEC Malware Subject.
Args:
malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created.
Returns:
The ID of the newly created STIX TTP.
"""
# Create the STIX TTP that includes the MAEC Instance
ttp = TTP()
ttp.behavior = Behavior()
# Add a MAEC Package with just the Malware Subject
# For capturing the identity of the malware binary that the Indicators target
maec_package = Package()
new_malware_subject = MalwareSubject()
new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes
maec_package.add_malware_subject(new_malware_subject)
maec_malware_instance = MAECInstance()
maec_malware_instance.maec = maec_package
ttp.behavior.add_malware_instance(maec_malware_instance)
self.stix_package.add_ttp(ttp)
return ttp.id_
def generate_package_from_parser(input_parser, options=None):
# Parse the file and perform the translation into MAEC
input_parser.parse_document()
# Create the MAEC Package
package = Package()
# Get the Malware Subject
malware_subject = input_parser.malware_subject
# Check for the existence of the options structure and if any are set
# If so, perform the appropriate actions
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
# Add the Malware Subject
package.add_malware_subject(malware_subject)
return package
def generate_package_from_parser(input_parser, options=None):
# Parse the file and perform the translation into MAEC
input_parser.parse_document()
# Create the MAEC Package
package = Package()
# Get the Malware Subject
malware_subject = input_parser.malware_subject
# Check for the existence of the options structure and if any are set
# If so, perform the appropriate actions
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
# Add the Malware Subject
package.add_malware_subject(malware_subject)
return package
ms2_ms4_rel.malware_subject_reference[0].malware_subject_idref = ms4.id_ ms2.relationships.append(ms2_ms4_rel) # Add the ms3 -> ms2 "downloaded by" relationship ms3.relationships = MalwareSubjectRelationshipList() ms3_ms2_rel = MalwareSubjectRelationship() ms3_ms2_rel.type_ = VocabString() ms3_ms2_rel.type_.value = "downloaded by" ms3_ms2_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0" ms3_ms2_rel.malware_subject_reference = [MalwareSubjectReference()] ms3_ms2_rel.malware_subject_reference[0].malware_subject_idref = ms2.id_ ms3.relationships.append(ms3_ms2_rel) # Add the ms4 -> ms2 "downloaded by" relationship ms4.relationships = MalwareSubjectRelationshipList() ms4_ms2_rel = MalwareSubjectRelationship() ms4_ms2_rel.type_ = VocabString() ms4_ms2_rel.type_.value = "downloaded by" ms4_ms2_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0" ms4_ms2_rel.malware_subject_reference = [MalwareSubjectReference()] ms4_ms2_rel.malware_subject_reference[0].malware_subject_idref = ms2.id_ ms4.relationships.append(ms4_ms2_rel) # Build up the full Package/Malware Subject hierarchy p.add_malware_subject(ms1) p.add_malware_subject(ms2) p.add_malware_subject(ms3) p.add_malware_subject(ms4) # Output the built up Package to XML print p.to_xml()
o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex() o2.properties.name = "redem-Mutex" o2.association_type = VocabString() o2.association_type.value = "output" o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act2.associated_objects.append(o2) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.add_action(act2) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object
from cybox.core.associated_object import AssociatedObject
#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
#Add the Malware Subject to the Package
package.add_malware_subject(subject)
#Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('example1.xml')
act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe" # Add the spawned process to the root process root_p.add_spawned_process(spawned_p) # Set the root process in the process_tree p_tree.set_root_process(root_p) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.set_process_tree(p_tree) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
class PefileToMAEC(object):
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
def create_object_dict(self, properties_dict):
object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict}
return object_dict
def populate(self, entry_dict, static_bundle, malware_subject=None):
if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
file_dict = self.create_object_dict(entry_dict['file'])
if malware_subject:
malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
# Add the hashes for the Malware Instance Object Attributes
data = open(self.pefile_parser.infile, 'rb').read()
if data:
md5_hash = hashlib.md5(data).hexdigest()
sha1_hash = hashlib.sha1(data).hexdigest()
malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
else:
static_bundle.add_object(Object.from_dict(file_dict))
if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
pe_dict = self.create_object_dict(entry_dict['pe'])
static_bundle.add_object(Object.from_dict(pe_dict))
def generate_analysis(self, static_bundle):
analysis = Analysis()
analysis.type = 'triage'
analysis.method = 'static'
analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
'vendor': 'Ero Carrera',
'name': 'pefile'}))
findings_bundle_reference = []
if self.bundle_has_content(static_bundle):
findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
analysis.findings_bundle_reference = findings_bundle_reference
return analysis
def bundle_has_content(self, bundle):
if bundle.actions and len(bundle.actions) > 0:
return True
if bundle.objects and len(bundle.objects) > 0:
return True
if bundle.behaviors and len(bundle.behaviors) > 0:
return True
return False
def generate_malware_subjects(self):
entry_dict = self.pefile_parser.entry_dict
malware_subject = MalwareSubject()
entry_dict['id'] = malware_subject
static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
self.populate(entry_dict, static_bundle, malware_subject)
malware_subject.add_analysis(self.generate_analysis(static_bundle))
if self.bundle_has_content(static_bundle):
malware_subject.add_findings_bundle(static_bundle)
self.package.add_malware_subject(malware_subject)
def generate_maec(self):
self.generate_malware_subjects()
class PefileToMAEC(object):
def __init__(self, pefile_parser):
self.pefile_parser = pefile_parser
NS = Namespace("http://code.google.com/p/pefile/", "pefile")
maec.utils.set_id_namespace(NS)
self.package = Package()
self.generate_maec()
def create_object_dict(self, properties_dict):
object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict}
return object_dict
def populate(self, entry_dict, static_bundle, malware_subject=None):
if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
file_dict = self.create_object_dict(entry_dict['file'])
if malware_subject:
malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
# Add the hashes for the Malware Instance Object Attributes
data = open(self.pefile_parser.infile, 'rb').read()
if data:
md5_hash = hashlib.md5(data).hexdigest()
sha1_hash = hashlib.sha1(data).hexdigest()
malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
else:
static_bundle.add_object(Object.from_dict(file_dict))
if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
pe_dict = self.create_object_dict(entry_dict['pe'])
static_bundle.add_object(Object.from_dict(pe_dict))
def generate_analysis(self, static_bundle):
analysis = Analysis()
analysis.type = 'triage'
analysis.method = 'static'
analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"),
'vendor': 'Ero Carrera',
'name': 'pefile'}))
findings_bundle_reference = []
if self.bundle_has_content(static_bundle):
findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_}))
analysis.findings_bundle_reference = findings_bundle_reference
return analysis
def bundle_has_content(self, bundle):
if bundle.actions and len(bundle.actions) > 0:
return True
if bundle.objects and len(bundle.objects) > 0:
return True
if bundle.behaviors and len(bundle.behaviors) > 0:
return True
return False
def generate_malware_subjects(self):
entry_dict = self.pefile_parser.entry_dict
malware_subject = MalwareSubject()
entry_dict['id'] = malware_subject
static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
self.populate(entry_dict, static_bundle, malware_subject)
malware_subject.add_analysis(self.generate_analysis(static_bundle))
if self.bundle_has_content(static_bundle):
malware_subject.add_findings_bundle(static_bundle)
self.package.add_malware_subject(malware_subject)
def generate_maec(self):
self.generate_malware_subjects()
def vt_report_to_maec_package(vt_report_input, options = None):
"""Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
maec.utils.set_id_namespace(NS)
package = Package()
# if only one result, make it a list of one result
if type(vt_report_input) != list:
vt_report_list = [vt_report_input]
else:
vt_report_list = vt_report_input
for idx, vt_report in enumerate(vt_report_list):
# if VirusTotal has never seen this MD5
if vt_report["response_code"] == 0:
sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
sys.stderr.flush();
continue
if vt_report["response_code"] == -1:
sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
vt_report.get("verbose_message", "no message provided") + "\n")
sys.stderr.flush();
continue
malware_subject = MalwareSubject()
# create the file object and add hashes
file_dict = {}
file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
file_dict['hashes'] = [
{'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
{'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
{'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
]
# set the object as the defined object
object_dict = {}
object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
object_dict['properties'] = file_dict
# bind the object to the malware subject object
malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
# create the analysis and add it to the subject
analysis = Analysis()
analysis.type_ = 'triage'
analysis.method = 'static'
analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
'vendor' : 'VirusTotal',
'name' : 'VirusTotal' }))
malware_subject.add_analysis(analysis)
bundle_obj = Bundle()
for vendor, scan in vt_report["scans"].items():
if scan["result"] is not None:
bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
# add bundle to subject, bundle to analysis, and subject to package
malware_subject.add_findings_bundle(bundle_obj)
analysis.set_findings_bundle(bundle_obj.id_)
package.add_malware_subject(malware_subject)
package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
return package
