def create_maec(inputfile, outpath, verbose_error_mode): if os.path.isfile(inputfile): #Create the main parser object parser = gparser.parser() try: open_file = parser.open_file(inputfile) if not open_file: print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.') return #Parse the file to get the actions and processes parser.parse_document() #Create the MAEC package package = Package() #Add the analysis package.add_malware_subject(parser.malware_subject) #Finally, Export the results package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"}) print "Wrote to " + outpath except Exception, err: print('\nError: %s\n' % str(err)) if verbose_error_mode: traceback.print_exc()
def generate_package_from_parser(input_parser, options=None, from_md5=False): """Take a populated ThreatExpert parser object and return a MAEC package object.""" try: # Parse the file to get the actions and processes input_parser.parse_document() except: if from_md5: raise Exception("Fetched document is not a valid ThreatExpert report. It is likely that this file has never been reported to ThreatExpert.") else: raise Exception("Input document is not a valid ThreatExpert report.") # Create the MAEC Package package = Package() # Add the namespace to the package package.__input_namespaces__["ThreatExpertToMAEC"] = "https://github.com/MAECProject/threatexpert-to-maec" # Add the analysis for malware_subject in input_parser.maec_subjects: if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() package.add_malware_subject(malware_subject) return package
def create_maec(inputfile, outpath, verbose_error_mode, options): if os.path.isfile(inputfile): #Create the main parser object parser = anparser.parser() try: open_file = parser.open_file(inputfile) if not open_file: print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.') return #Parse the file to get the actions and processes parser.parse_document() #Create the MAEC package package = Package() #Add the analysis for subject in parser.maec_subjects: package.add_malware_subject(subject) if options: if options.normalize_bundles: subject.normalize_bundles() if options.deduplicate_bundles: subject.deduplicate_bundles() if options.dereference_bundles: subject.dereference_bundles() ##Finally, Export the results package.to_xml_file(outpath, {"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"}) print "Wrote to " + outpath except Exception, err: print('\nError: %s\n' % str(err)) if verbose_error_mode: traceback.print_exc()
def _add_stix_ttp(self, malware_subject): """Create and add a STIX TTP for a MAEC Malware Subject. Args: malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created. Returns: The ID of the newly created STIX TTP. """ # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() # Add a MAEC Package with just the Malware Subject # For capturing the identity of the malware binary that the Indicators target maec_package = Package() new_malware_subject = MalwareSubject() new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes maec_package.add_malware_subject(new_malware_subject) maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package ttp.behavior.add_malware_instance(maec_malware_instance) self.stix_package.add_ttp(ttp) return ttp.id_
def generate_package_from_parser(input_parser, options=None): # Parse the file and perform the translation into MAEC input_parser.parse_document() # Create the MAEC Package package = Package() # Get the Malware Subject malware_subject = input_parser.malware_subject # Check for the existence of the options structure and if any are set # If so, perform the appropriate actions if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() # Add the Malware Subject package.add_malware_subject(malware_subject) return package
ms2_ms4_rel.malware_subject_reference[0].malware_subject_idref = ms4.id_ ms2.relationships.append(ms2_ms4_rel) # Add the ms3 -> ms2 "downloaded by" relationship ms3.relationships = MalwareSubjectRelationshipList() ms3_ms2_rel = MalwareSubjectRelationship() ms3_ms2_rel.type_ = VocabString() ms3_ms2_rel.type_.value = "downloaded by" ms3_ms2_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0" ms3_ms2_rel.malware_subject_reference = [MalwareSubjectReference()] ms3_ms2_rel.malware_subject_reference[0].malware_subject_idref = ms2.id_ ms3.relationships.append(ms3_ms2_rel) # Add the ms4 -> ms2 "downloaded by" relationship ms4.relationships = MalwareSubjectRelationshipList() ms4_ms2_rel = MalwareSubjectRelationship() ms4_ms2_rel.type_ = VocabString() ms4_ms2_rel.type_.value = "downloaded by" ms4_ms2_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0" ms4_ms2_rel.malware_subject_reference = [MalwareSubjectReference()] ms4_ms2_rel.malware_subject_reference[0].malware_subject_idref = ms2.id_ ms4.relationships.append(ms4_ms2_rel) # Build up the full Package/Malware Subject hierarchy p.add_malware_subject(ms1) p.add_malware_subject(ms2) p.add_malware_subject(ms3) p.add_malware_subject(ms4) # Output the built up Package to XML print p.to_xml()
o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex() o2.properties.name = "redem-Mutex" o2.association_type = VocabString() o2.association_type.value = "output" o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act2.associated_objects.append(o2) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.add_action(act2) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
from maec.package.analysis import Analysis from maec.package.malware_subject import MalwareSubject from maec.package.package import Package from maec.id_generator import Generator from maec.utils import MAECNamespaceParser from cybox.core.object import Object from cybox.core.associated_object import AssociatedObject #Instantiate the ID generator class (for automatic ID generation) with our example namespace generator = Generator('example1') #Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False) package = Package(id=generator.generate_package_id()) subject = MalwareSubject(id=generator.generate_malware_subject_id()) analysis = Analysis(id=generator.generate_analysis_id()) #Create the Subject Object Dictionary for use in the Malware Instance Object Attributes subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}} #Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict)) #Create the Associated Object Dictionary for use in the Action associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}} #Create the Action from another dictionary action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]}) #Add the Action to the buundle bundle.add_action(action) #Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) #Add the Malware Subject to the Package package.add_malware_subject(subject) #Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('example1.xml')
act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe" # Add the spawned process to the root process root_p.add_spawned_process(spawned_p) # Set the root process in the process_tree p_tree.set_root_process(root_p) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.set_process_tree(p_tree) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
class PefileToMAEC(object): def __init__(self, pefile_parser): self.pefile_parser = pefile_parser NS = Namespace("http://code.google.com/p/pefile/", "pefile") maec.utils.set_id_namespace(NS) self.package = Package() self.generate_maec() def create_object_dict(self, properties_dict): object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict} return object_dict def populate(self, entry_dict, static_bundle, malware_subject=None): if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1: file_dict = self.create_object_dict(entry_dict['file']) if malware_subject: malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict) # Add the hashes for the Malware Instance Object Attributes data = open(self.pefile_parser.infile, 'rb').read() if data: md5_hash = hashlib.md5(data).hexdigest() sha1_hash = hashlib.sha1(data).hexdigest() malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash) malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash) else: static_bundle.add_object(Object.from_dict(file_dict)) if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1: pe_dict = self.create_object_dict(entry_dict['pe']) static_bundle.add_object(Object.from_dict(pe_dict)) def generate_analysis(self, static_bundle): analysis = Analysis() analysis.type = 'triage' analysis.method = 'static' analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"), 'vendor': 'Ero Carrera', 'name': 'pefile'})) findings_bundle_reference = [] if self.bundle_has_content(static_bundle): findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_})) analysis.findings_bundle_reference = findings_bundle_reference return analysis def bundle_has_content(self, bundle): if bundle.actions and len(bundle.actions) > 0: return True if bundle.objects and len(bundle.objects) > 0: return True if bundle.behaviors and len(bundle.behaviors) > 0: return True return False def generate_malware_subjects(self): entry_dict = self.pefile_parser.entry_dict malware_subject = MalwareSubject() entry_dict['id'] = malware_subject static_bundle = Bundle(None, False, '4.1', 'static analysis tool output') self.populate(entry_dict, static_bundle, malware_subject) malware_subject.add_analysis(self.generate_analysis(static_bundle)) if self.bundle_has_content(static_bundle): malware_subject.add_findings_bundle(static_bundle) self.package.add_malware_subject(malware_subject) def generate_maec(self): self.generate_malware_subjects()
def vt_report_to_maec_package(vt_report_input, options = None): """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object.""" NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC") maec.utils.set_id_namespace(NS) package = Package() # if only one result, make it a list of one result if type(vt_report_input) != list: vt_report_list = [vt_report_input] else: vt_report_list = vt_report_input for idx, vt_report in enumerate(vt_report_list): # if VirusTotal has never seen this MD5 if vt_report["response_code"] == 0: sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n") sys.stderr.flush(); continue if vt_report["response_code"] == -1: sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " + vt_report.get("verbose_message", "no message provided") + "\n") sys.stderr.flush(); continue malware_subject = MalwareSubject() # create the file object and add hashes file_dict = {} file_dict['xsi:type'] = 'WindowsExecutableFileObjectType' file_dict['hashes'] = [ {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] }, {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] }, {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] } ] # set the object as the defined object object_dict = {} object_dict['id'] = maec.utils.idgen.create_id(prefix="object") object_dict['properties'] = file_dict # bind the object to the malware subject object malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict)) # create the analysis and add it to the subject analysis = Analysis() analysis.type_ = 'triage' analysis.method = 'static' analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T") analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"), 'vendor' : 'VirusTotal', 'name' : 'VirusTotal' })) malware_subject.add_analysis(analysis) bundle_obj = Bundle() for vendor, scan in vt_report["scans"].items(): if scan["result"] is not None: bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor })) # add bundle to subject, bundle to analysis, and subject to package malware_subject.add_findings_bundle(bundle_obj) analysis.set_findings_bundle(bundle_obj.id_) package.add_malware_subject(malware_subject) package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC" if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() return package