def add_registry_observable(self, mode, value):
if (mode, value) in self.__regkeys:
return
self.__regkeys.add((mode, value))
# FIXME value is not parse properly
_key = '\\'.join(value.split('\\')[3:])
hive = value.split('\\')[2]
reg_object = WinRegistryKey.from_dict({'key': _key, 'hive': hive})
reg_observable = Observable(reg_object)
reg_observable.title = "Malware Artifact - Registry"
reg_observable.description = "Registry access derived from sandboxed malware sample."
reg_observable.short_description = "Registry access from malware."
self.reg_indicator.add_observable(reg_observable)
observables_doc.add(WinService.from_dict({"service_name": "Service Name",
"display_name": "Service Display name",
"startup_type": "Service type",
"service_status": "Status",
"service_dll": "Somedll.dll",
"started_as": "Start",
"group_name": "Group name",
"startup_command_line": "Commandline"}))
observables_doc.add(WinRegistryKey.from_dict({"hive": "SYSTEM",
"key": "some\\registry\\key",
"number_values": 2,
"values": [{"name": "Something",
"datatype": "REG_DWORD", #or whatever it is...
"data": "Something else"},
{"name": "Another",
"datatype": "REG_BINARY", #or whatever it is...
"data": base64.b64encode("\x90\x90\x90")}], #binary stuff must be normalized, base64 is the usual
"number_subkeys": 1,
# subkeys have the same members as keys:
"subkeys": [{"key": "SubkeyName", "number_values": 1,
"values": [{"name": "SubkeyVal", "datatype": "REG_DWORD", "data": "Subkey val data"}]}]
}))
observables_doc.add(Mutex.from_dict({"name": "Some_MUTEX!!!"}))
# we can also specify conditions:
proc = Process.from_dict({"name": "anotherProcess.exe",
"pid": 102,
"parent_pid": 10,
"image_info": {"command_line": "anotherProcess.exe /c blahblah.bat"}})
proc.name.condition = "Equals"
