def from_dict(findings_bundle_list_dict):
if not findings_bundle_list_dict:
return None
findings_bundle_list_ = FindingsBundleList()
findings_bundle_list_.meta_analysis = MetaAnalysis.from_dict(findings_bundle_list_dict.get('meta_analysis'))
findings_bundle_list_.bundles = [Bundle.from_dict(x) for x in findings_bundle_list_dict.get('bundles', [])]
findings_bundle_list_.bundle_external_references = [x for x in findings_bundle_list_dict.get('bundle_external_references', [])]
return findings_bundle_list_
def from_obj(findings_bundle_list_obj):
if not findings_bundle_list_obj:
return None
findings_bundle_list_ = FindingsBundleList()
findings_bundle_list_.meta_analysis = MetaAnalysis.from_obj(findings_bundle_list_obj.get_Meta_Analysis())
findings_bundle_list_.bundles = [Bundle.from_obj(x) for x in findings_bundle_list_obj.get_Bundle()]
findings_bundle_list_.bundle_external_references = [x for x in findings_bundle_list_obj.get_Bundle_External_Reference()]
return findings_bundle_list_
def generate_malware_subjects(self):
entry_dict = self.pefile_parser.entry_dict
malware_subject = MalwareSubject()
entry_dict['id'] = malware_subject
static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
self.populate(entry_dict, static_bundle, malware_subject)
malware_subject.add_analysis(self.generate_analysis(static_bundle))
if self.bundle_has_content(static_bundle):
malware_subject.add_findings_bundle(static_bundle)
self.package.add_malware_subject(malware_subject)
def main():
infilenames = []
list_mode = False
directoryname = ''
# List of Bundle instances to compare
bundle_list = []
#Get the command-line arguments
args = sys.argv[1:]
if len(args) < 2:
print USAGE_TEXT
sys.exit(1)
for i in range(0,len(args)):
if args[i] == '-l':
list_mode = True
elif args[i] == '-d':
directoryname = args[i+1]
# Parse the input files and get the MAEC Bundles from each
if list_mode:
files = args[1:]
for file in files:
process_maec_file(file, bundle_list)
elif directoryname != '':
for filename in os.listdir(directoryname):
if '.xml' not in filename:
pass
else:
process_maec_file(os.path.join(directoryname, filename), bundle_list)
# Matching properties dictionary
match_on_dictionary = {'FileObjectType': ['file_path'],
'WindowsRegistryKeyObjectType': ['hive', 'key'],
'WindowsMutexObjectType': ['name'],
'WindowsProcessObjectType': ['name']}
# Perform the comparison and get the results
comparison_results = Bundle.compare(bundle_list, match_on = match_on_dictionary, case_sensitive = False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
def main():
parser = argparse.ArgumentParser(description=USAGE_TEXT)
mutex_group = parser.add_mutually_exclusive_group(required=True)
mutex_group.add_argument(
'-l',
'--list',
nargs='+',
help='single whitespace separated list of MAEC files')
mutex_group.add_argument('-d', '--directory', help='directory name')
args = parser.parse_args()
# List of Bundle instances to compare
bundle_list = []
# Parse the input files and get the MAEC Bundles from each
if args.list:
for file in args.list:
process_maec_file(file, bundle_list)
elif args.directory:
for filename in os.listdir(args.directory):
if '.xml' not in filename:
pass
else:
process_maec_file(os.path.join(args.directory, filename),
bundle_list)
# Matching properties dictionary
match_on_dictionary = {
'FileObjectType': ['file_path'],
'WindowsRegistryKeyObjectType': ['hive', 'key'],
'WindowsMutexObjectType': ['name'],
'WindowsProcessObjectType': ['name']
}
# Perform the comparison and get the results
comparison_results = Bundle.compare(bundle_list,
match_on=match_on_dictionary,
case_sensitive=False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
def main():
parser = argparse.ArgumentParser(description=USAGE_TEXT)
mutex_group = parser.add_mutually_exclusive_group(required=True)
mutex_group.add_argument(
'-l', '--list', nargs='+',
help='single whitespace separated list of MAEC files'
)
mutex_group.add_argument(
'-d', '--directory',
help='directory name'
)
args = parser.parse_args()
# List of Bundle instances to compare
bundle_list = []
# Parse the input files and get the MAEC Bundles from each
if args.list:
for file in args.list:
process_maec_file(file, bundle_list)
elif args.directory:
for filename in os.listdir(args.directory):
if '.xml' not in filename:
pass
else:
process_maec_file(os.path.join(args.directory, filename), bundle_list)
# Matching properties dictionary
match_on_dictionary = {'FileObjectType': ['file_path'],
'WindowsRegistryKeyObjectType': ['hive', 'key'],
'WindowsMutexObjectType': ['name'],
'WindowsProcessObjectType': ['name']}
# Perform the comparison and get the results
comparison_results = Bundle.compare(bundle_list, match_on = match_on_dictionary, case_sensitive = False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
def parse_xml(self, xml_file, check_version=True):
"""Creates a python-maec Bundle or Package object from the supplied xml_file.
Arguments:
xml_file -- A filename/path or a file-like object reprenting a MAEC instance (i.e. Package or Bundle) document
check_version -- Inspect the version before parsing.
"""
parser = etree.ETCompatXMLParser(huge_tree=True, resolve_entities=False)
tree = etree.parse(xml_file, parser=parser)
api_obj = None
binding_obj = self.parse_xml_to_obj(xml_file, check_version)
if self.is_package:
from maec.package.package import Package # resolve circular dependencies
api_obj = Package.from_obj(binding_obj)
elif self.is_bundle:
from maec.bundle.bundle import Bundle # resolve circular dependencies
api_obj = Bundle.from_obj(binding_obj)
self._apply_input_namespaces(tree, api_obj)
return api_obj
def generate_oval(self):
#Basic input file checking
if os.path.isfile(self.infilename):
#Try parsing the MAEC file with both bindings
package_obj = package_binding.parse(self.infilename)
bundle_obj = bundle_binding.parse(self.infilename)
try:
sys.stdout.write('Generating ' + self.outfilename + ' from ' + self.infilename + '...')
#Test whether the input is a Package or Bundle and process accordingly
if bundle_obj.hasContent_():
maec_bundle = Bundle.from_obj(bundle_obj)
self.process_bundle(maec_bundle)
elif package_obj.hasContent_():
maec_package = Package.from_obj(package_obj)
for malware_subject in maec_package.malware_subjects:
for maec_bundle in malware_subject.findings_bundles.bundles:
self.process_bundle(maec_bundle)
#Build up the OVAL document from the parsed data and corresponding objects
self.__build_oval_document()
if len(self.converted_ids) > 0:
#Export to the output file
outfile = open(self.outfilename, 'w')
self.ovaldefroot.export(outfile, 0, namespacedef_='xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/version5.7/ovaldefinition/complete/windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-common-schema.xsd"')
sys.stdout.write('Done\n')
else:
sys.stdout.write('no OVAL output written; 0 actions were converted.\n')
if self.stat_mode:
print '\n**Converted Actions**'
for action_id in self.converted_ids:
print 'Action ' + action_id + ' converted successfully'
print '**Skipped Actions**'
for action_id in self.skipped_actions:
print 'Action ' + action_id + ' skipped; incompatible action/object type or missing object attributes'
except Exception, err:
print('\nError: %s\n' % str(err))
if self.verbose_mode:
traceback.print_exc()
# Code for MAEC Dynamic Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_mutex_object import WinMutex
from cybox.common import ToolInformation, VocabString
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
"B6C39FF68346DCC8B67AA060DEFE40C2")
ms.malware_instance_object_attributes.properties.add_hash(
"D55B0FB96FAD96D203D10850469489FC03E6F2F7")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
import pprint
import maec.bindings.maec_bundle as maec_bundle_binding
from maec.bundle.bundle import Bundle
# Matching properties dictionary
match_on_dictionary = {'FileObjectType': ['full_name'],
'WindowsRegistryKeyObjectType': ['hive', 'values.name/data'],
'WindowsMutexObjectType': ['name']}
# Parse in the input Bundle documents and create their python-maec Bundle class representations
bundle1 = Bundle.from_obj(maec_bundle_binding.parse("zeus_threatexpert_maec.xml"))
bundle2 = Bundle.from_obj(maec_bundle_binding.parse("zeus_anubis_maec.xml"))
# Perform the comparison and get the results
comparison_results = Bundle.compare([bundle1, bundle2], match_on = match_on_dictionary, case_sensitive = False)
# Pretty print the common and unique Objects
print "******Common Objects:*******\n"
pprint.pprint(comparison_results.get_common())
print "****************************"
print "******Unique Objects:*******\n"
pprint.pprint(comparison_results.get_unique())
print "****************************"
# Code for MAEC Basic Bundle Idiom from maec.bundle.bundle import Bundle from cybox.core import Object from cybox.objects.pdf_file_object import PDFFile # Instantiate the Bundle and populate its required attributes # The ID generation is handled automatically by python-maec b = Bundle() b.defined_subject = "True" # Populate the Malware_Instance_Object_Attributes of the Bundle with the properties of the PDF file b.malware_instance_object_attributes = Object() b.malware_instance_object_attributes.properties = PDFFile() b.malware_instance_object_attributes.properties.file_name = "User_Manual.pdf" b.malware_instance_object_attributes.properties.size_in_bytes = "509328" b.malware_instance_object_attributes.properties.version = "1.6" print b.to_xml()
from cybox.common import Hash, HashList
from cybox.objects.file_object import File
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from cybox.utils import Namespace
import maec.utils
# Instantiate the ID generator class (for automatic ID generation) with our example namespace
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = "foobar.exe"
subject_object.properties.size_in_bytes = "35532"
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
##A single Action embedded in the Bundle
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.package.analysis import Analysis
from maec.package.malware_subject import MalwareSubject
from maec.package.package import Package
from maec.id_generator import Generator
from maec.utils import MAECNamespaceParser
from cybox.core.object import Object
from cybox.core.associated_object import AssociatedObject
#Instantiate the ID generator class (for automatic ID generation) with our example namespace
generator = Generator('example1')
#Instantiate the Bundle, Package, MalwareSubject, and Analysis classes
bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False)
package = Package(id=generator.generate_package_id())
subject = MalwareSubject(id=generator.generate_malware_subject_id())
analysis = Analysis(id=generator.generate_analysis_id())
#Create the Subject Object Dictionary for use in the Malware Instance Object Attributes
subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}}
#Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict))
#Create the Associated Object Dictionary for use in the Action
associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}}
#Create the Action from another dictionary
action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]})
#Add the Action to the buundle
bundle.add_action(action)
#Add the Bundle to the Malware Subject
subject.add_findings_bundle(bundle)
# Code for MAEC Static Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis, Source
from cybox.core import Object
from cybox.objects.win_executable_file_object import WinExecutableFile, PEHeaders, PEOptionalHeader
from cybox.common import ToolInformation
from maec.bundle.bundle import Bundle
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.summary = "A basic static triage of the subject binary using PEiD."
a.set_findings_bundle(b.id_)
a.source = Source()
a.source.name = "Frankie Li"
a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814"
t = ToolInformation()
# Code for MAEC Process Tree Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.process_tree import ProcessTree, ProcessTreeNode
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.common import ToolInformation, VocabString
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "251904"
ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221")
ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "Anubis"
t.vendor = "ISECLab"
def test_add_collections(self):
o = Bundle()
o.add_named_action_collection("Actions")
ma = MalwareAction()
o.add_action(ma, "Actions")
self.assertTrue(o.collections.action_collections.has_collection("Actions"))
o.add_named_object_collection("Objects")
obj = Object()
o.add_object(obj, "Objects")
self.assertTrue(o.collections.object_collections.has_collection("Objects"))
o.add_named_behavior_collection("Behaviors")
b = Behavior()
o.add_behavior(b, "Behaviors")
self.assertTrue(o.collections.behavior_collections.has_collection("Behaviors"))
o.add_named_candidate_indicator_collection("Indicators")
ci = CandidateIndicator()
o.add_candidate_indicator(ci, "Indicators")
self.assertTrue(o.collections.candidate_indicator_collections.has_collection("Indicators"))
# Code for MAEC AV Classification Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.av_classification import AVClassification
from cybox.core import Object
from cybox.objects.win_executable_file_object import WinExecutableFile
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.add_hash("076e5b2bae0b4b3a3d81c85610b95cd4")
ms.malware_instance_object_attributes.properties.add_hash("4484e08903744ceeaedd8f5e1bfc06b2c4688e76")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle
b.defined_subject = False
b.content_type = "static analysis tool output"
# Create the AV Classifications
def test_add_collections(self):
o = Bundle()
o.add_named_action_collection("Actions")
ma = MalwareAction()
o.add_action(ma, "Actions")
self.assertTrue(
o.collections.action_collections.has_collection("Actions"))
o.add_named_object_collection("Objects")
obj = Object()
o.add_object(obj, "Objects")
self.assertTrue(
o.collections.object_collections.has_collection("Objects"))
o.add_named_behavior_collection("Behaviors")
b = Behavior()
o.add_behavior(b, "Behaviors")
self.assertTrue(
o.collections.behavior_collections.has_collection("Behaviors"))
o.add_named_candidate_indicator_collection("Indicators")
ci = CandidateIndicator()
o.add_candidate_indicator(ci, "Indicators")
self.assertTrue(
o.collections.candidate_indicator_collections.has_collection(
"Indicators"))
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
b.defined_subject = False
import maec.utils
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle
from maec.bundle.malware_action import MalwareAction
from maec.bundle.process_tree import ProcessTree, ProcessTreeNode
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.common import ToolInformation, VocabString
# サンプルの名前空間に(自動ID生成用の)IDジェネレータクラスをインスタンス化
NS = Namespace("http://example.com/", "example")
maec.utils.set_id_namespace(NS)
# インスタンス化:Bundle, Package, MalwareSubject, Analysis classes
bundle = Bundle(defined_subject=False)
package = Package()
subject = MalwareSubject()
analysis = Analysis()
# Populate the Analysis with the metadata relating to the Analysis that was performed
analysis.method = "dynamic"
analysis.type_ = "triage"
analysis.set_findings_bundle(bundle.id_)
t = ToolInformation()
t.name = "APIMonitor"
t.vendor = "APIMonitor"
analysis.add_tool(t)
# Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?)
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis
from maec.bundle.bundle import Bundle, BehaviorReference
from maec.bundle.malware_action import MalwareAction
from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList
from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference
from cybox.core import Object, AssociatedObject, AssociatedObjects
from cybox.objects.win_executable_file_object import WinExecutableFile
from cybox.objects.win_hook_object import WinHook
from cybox.common import VocabString
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
"B6C39FF68346DCC8B67AA060DEFE40C2")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
def test_round_trip(self):
o = MalwareSubject()
o.add_findings_bundle(Bundle())
o2 = round_trip(o)
self.assertEqual(o.to_dict(), o2.to_dict())
def test_id_autoset(self):
o = Bundle()
self.assertNotEqual(o.id_, None)
def vt_report_to_maec_package(vt_report_input, options = None):
"""Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
maec.utils.set_id_namespace(NS)
package = Package()
# if only one result, make it a list of one result
if type(vt_report_input) != list:
vt_report_list = [vt_report_input]
else:
vt_report_list = vt_report_input
for idx, vt_report in enumerate(vt_report_list):
# if VirusTotal has never seen this MD5
if vt_report["response_code"] == 0:
sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
sys.stderr.flush();
continue
if vt_report["response_code"] == -1:
sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
vt_report.get("verbose_message", "no message provided") + "\n")
sys.stderr.flush();
continue
malware_subject = MalwareSubject()
# create the file object and add hashes
file_dict = {}
file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
file_dict['hashes'] = [
{'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
{'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
{'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
]
# set the object as the defined object
object_dict = {}
object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
object_dict['properties'] = file_dict
# bind the object to the malware subject object
malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
# create the analysis and add it to the subject
analysis = Analysis()
analysis.type_ = 'triage'
analysis.method = 'static'
analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
'vendor' : 'VirusTotal',
'name' : 'VirusTotal' }))
malware_subject.add_analysis(analysis)
bundle_obj = Bundle()
for vendor, scan in vt_report["scans"].items():
if scan["result"] is not None:
bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
# add bundle to subject, bundle to analysis, and subject to package
malware_subject.add_findings_bundle(bundle_obj)
analysis.set_findings_bundle(bundle_obj.id_)
package.add_malware_subject(malware_subject)
package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
if options:
if options.normalize_bundles:
malware_subject.normalize_bundles()
if options.deduplicate_bundles:
malware_subject.deduplicate_bundles()
if options.dereference_bundles:
malware_subject.dereference_bundles()
return package
def test_round_trip(self):
o = Bundle()
o2 = round_trip(o, True)
self.assertEqual(o.to_dict(), o2.to_dict())
# Code for MAEC Static Analysis Idiom
from maec.package.package import Package
from maec.package.malware_subject import MalwareSubject
from maec.package.analysis import Analysis, Source
from cybox.core import Object
from cybox.objects.win_executable_file_object import WinExecutableFile, PEHeaders, PEOptionalHeader
from cybox.common import ToolInformation
from maec.bundle.bundle import Bundle
# Set up the necessary Package, Malware Subject, Analysis Bundle Instances
p = Package()
ms = MalwareSubject()
b = Bundle()
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe"
ms.malware_instance_object_attributes.properties.size_in_bytes = "196608"
ms.malware_instance_object_attributes.properties.add_hash(
"4EC0027BEF4D7E1786A04D021FA8A67F")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.summary = "A basic static triage of the subject binary using PEiD."
a.set_findings_bundle(b.id_)
a.source = Source()
a.source.name = "Frankie Li"
a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814"
# Import the required APIs from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.utils import IDGenerator, set_id_method from cybox.core import Object, AssociatedObjects, AssociatedObject, AssociationType from cybox.objects.file_object import File # Instantiate the MAEC/CybOX Entities set_id_method(IDGenerator.METHOD_INT) b = Bundle() a = MalwareAction() ao = AssociatedObject() # Build the Associated Object for use in the Action ao.properties = File() ao.properties.file_name = "badware.exe" ao.properties.size_in_bytes = "123456" ao.association_type = AssociationType() ao.association_type.value = 'output' ao.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Build the Action and add the Associated Object to it a.name = 'create file' a.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0' a.associated_objects = AssociatedObjects() a.associated_objects.append(ao) # Add the Action to the Bundle b.add_action(a) # Output the Bundle to stdout
def test_round_trip(self):
o = Bundle()
o2 = round_trip(o, True)
self.assertEqual(o.to_dict(), o2.to_dict())