"B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output" # Create the add windows hook action act = MalwareAction() act.name = "add windows hook" act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0" act.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinHook() o1.properties.type_ = "WH_KEYBOARD_LL" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act.associated_objects.append(o1) # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference[0].action_id = act.id_ # Create the capability
a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject()
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll' associated_object.properties.size_in_bytes = '123456' associated_object.association_type = VocabString() associated_object.association_type.value = 'output' associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Create the Action from another dictionary action = MalwareAction() action.name = VocabString() action.name.value = 'create file' action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0' action.associated_objects = AssociatedObjects() action.associated_objects.append(associated_object) # Add the Action to the Bundle bundle.add_action(action) # Create the Capability from another dictionary capability = Capability() capability.name = 'persistence' # Add the Capability to the Bundle bundle.add_capability(capability) # Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) subject.findings_bundles.bundle = [bundle] # Add the Malware Subject to the Package package.add_malware_subject(subject) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('sample_maec_package.xml')