def create_maec(self, url_indicator): package = Package() ms = MalwareSubject() ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = URI(type_=URI.TYPE_URL) ms.malware_instance_object_attributes.properties.value = url_indicator package.add_malware_subject(ms) return package
def create_maec(self, url_indicator): package = Package() ms = MalwareSubject() ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = URI( type_=URI.TYPE_URL) ms.malware_instance_object_attributes.properties.value = url_indicator package.add_malware_subject(ms) return package
def merge_malware_subjects(malware_subject_list): '''Merge a list of input Malware Subjects''' id_mappings = {} output_subjects = [] # Bin the Malware Subjects by hash binned_subjects = bin_malware_subjects(malware_subject_list) # Merge the Malware Subjects that were binned for binned_list in binned_subjects.values(): # Make sure we're dealing with at least two subjects if len(binned_list) > 1: # Instantiate the merged Malware Subject merged_malware_subject = MalwareSubject() # Add the ID mappings from the old (merged) subject to the new one create_mappings(id_mappings, binned_list, merged_malware_subject) # Perform the merging merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings) # Add the merged Malware Subject to the output list output_subjects.append(merged_malware_subject) # Add the Malware Subjects that weren't merged for malware_subject in malware_subject_list: if malware_subject.id_ not in id_mappings.keys(): output_subjects.append(malware_subject) # Update the relationships for the Malware Subjects to account for the merges update_relationships(output_subjects, id_mappings) # Return the list of original and merged Malware Subjects return output_subjects
from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, Collections, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package from cybox.utils import Namespace import maec.utils # Instantiate the ID generator class (for automatic ID generation) with our example namespace NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll' associated_object.properties.size_in_bytes = '123456'
# Generates and exports MAEC Package with: # - A single Malware Subject # - A single Bundle embedded in the Malware Subject # - A single Action embedded in the Bundle # - A single Capability embedded in the Bundle from cybox.core import AssociatedObjects, AssociatedObject, Object, AssociationType from cybox.common import Hash, HashList, VocabString from cybox.objects.file_object import File from maec.bundle import Bundle, MalwareAction, Capability from maec.package import Analysis, MalwareSubject, Package # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = 'foobar.exe' subject_object.properties.size_in_bytes = '35532' subject_object.properties.hashes = HashList() subject_object.properties.hashes.append( Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = 'abcd.dll'