def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [x.malware_instance_object_attributes for x in binned_list] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = maec.utils.idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'simple_hash_value')) hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list(itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [x.configuration_details for x in binned_list if x.configuration_details] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict(merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list(itertools.chain(*[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list(itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles([x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list(itertools.chain(*[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list(itertools.chain(*[x.compatible_platform for x in binned_list if x.compatible_platform])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants(merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList(merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
def createconfigurationdetails(self,storage=None,obfuscation=None,configuration_parameter=None): configuration_details = MalwareConfigurationDetails() configuration_details.storage =storage configuration_details.obfuscation = obfuscation configuration_details.configuration_parameter = configuration_parameter return configuration_details
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [ x.malware_instance_object_attributes for x in binned_list ] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='simple_hash_value')) hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list( itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [ x.configuration_details for x in binned_list if x.configuration_details ] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict( merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list( itertools.chain( *[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list( itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles( [x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list( itertools.chain( *[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list( itertools.chain(*[ x.compatible_platform for x in binned_list if x.compatible_platform ])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants( merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList( merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms