def create_maec(inputfile, outpath, verbose_error_mode): if os.path.isfile(inputfile): #Create the main parser object parser = gparser.parser() try: open_file = parser.open_file(inputfile) if not open_file: print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the GFI Sandbox output schema.') return #Parse the file to get the actions and processes parser.parse_document() #Create the MAEC package package = Package() #Add the analysis package.add_malware_subject(parser.malware_subject) #Finally, Export the results package.to_xml_file(outpath, {"https://github.com/MAECProject/gfi-sandbox-to-maec":"GFISandboxToMAEC"}) print "Wrote to " + outpath except Exception, err: print('\nError: %s\n' % str(err)) if verbose_error_mode: traceback.print_exc()
def merge_packages(package_list, namespace = None): '''Merge a list of input MAEC Packages and return a merged Package instance.''' malware_subjects = [] # Instantiate the ID generator class (for automatic ID generation) if not namespace: NS = Namespace("https://github.com/MAECProject/python-maec", "merged") else: NS = namespace maec.utils.set_id_namespace(NS) # Build the list of Malware Subjects for package in package_list: for malware_subject in package.malware_subjects: malware_subjects.append(malware_subject) # Merge the Malware Subjects merged_subjects = merge_malware_subjects(malware_subjects) # Merge the input namespace/schemaLocation dictionaries merged_namespaces = {} merged_schemalocations = {} for package in package_list: merged_namespaces.update(package.__input_namespaces__) merged_schemalocations.update(package.__input_schemalocations__) # Create a new Package with the merged Malware Subjects merged_package = Package() merged_package.malware_subjects = MalwareSubjectList(merged_subjects) merged_package.__input_namespaces__ = merged_namespaces merged_package.__input_schemalocations__ = merged_schemalocations return merged_package
def generate_package_from_parser(input_parser, options=None, from_md5=False): """Take a populated ThreatExpert parser object and return a MAEC package object.""" try: # Parse the file to get the actions and processes input_parser.parse_document() except: if from_md5: raise Exception("Fetched document is not a valid ThreatExpert report. It is likely that this file has never been reported to ThreatExpert.") else: raise Exception("Input document is not a valid ThreatExpert report.") # Create the MAEC Package package = Package() # Add the namespace to the package package.__input_namespaces__["ThreatExpertToMAEC"] = "https://github.com/MAECProject/threatexpert-to-maec" # Add the analysis for malware_subject in input_parser.maec_subjects: if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() package.add_malware_subject(malware_subject) return package
def maec_s(maecs): print "maec" maec_obj = package_binding.parse(maecs) obs = Package.from_obj(maec_obj) pac = Package(obs) dic = pac.to_dict() print "name:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["name"] print "pid:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["pid"] print "spawned_process:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["spawned_process"] print "id:",dic["id"]["malware_subjects"][0]["findings_bundles"]["bundle"][0]["process_tree"]["root_process"]["id"]
def _maec_from_dict(cls, d): if _MAEC_INSTALLED: return maecPackage.from_dict(d) raise ValueError( "Unable to parse 'maec' value in dictionary. Please " "install python-maec to parse dictionary value." )
def test_maec_wrapped_in_stix(self): maec_package = Package.from_xml(self._maec_package)[0] stix_package = wrap_maec(maec_package) stix_ttp = stix_package.ttps[0] malware_instances = stix_ttp.behavior.malware_instances wrapped_maec_package = malware_instances[0].maec self.assertEqual(wrapped_maec_package.to_xml(include_namespaces=False,pretty=False), self._wrapped_maec_package)
def merge_packages(package_list, output_file): '''Merge a list of input MAEC Packages and write them to an output Package file''' malware_subjects = [] # Instantiate the ID generator class (for automatic ID generation) NS = Namespace("https://github.com/MAECProject/python-maec", "merged") maec.utils.set_id_namespace(NS) # Build the list of Malware Subjects for package in package_list: for malware_subject in package.malware_subjects: malware_subjects.append(malware_subject) # Merge the Malware Subjects merged_subjects = merge_malware_subjects(malware_subjects) # Create a new Package with the merged Malware Subjects merged_package = Package() merged_package.malware_subjects = MalwareSubjectList(merged_subjects) # Write the Package to the output file merged_package.to_xml_file(output_file, {"https://github.com/MAECProject/python-maec":"merged"})
def create_maec(inputfile, outpath, verbose_error_mode, options): if os.path.isfile(inputfile): #Create the main parser object parser = anparser.parser() try: open_file = parser.open_file(inputfile) if not open_file: print('\nError: Error in parsing input file. Please check to ensure that it is valid XML and conforms to the Anbuis output schema.') return #Parse the file to get the actions and processes parser.parse_document() #Create the MAEC package package = Package() #Add the analysis for subject in parser.maec_subjects: package.add_malware_subject(subject) if options: if options.normalize_bundles: subject.normalize_bundles() if options.deduplicate_bundles: subject.deduplicate_bundles() if options.dereference_bundles: subject.dereference_bundles() ##Finally, Export the results package.to_xml_file(outpath, {"https://github.com/MAECProject/anubis-to-maec":"AnubisToMAEC"}) print "Wrote to " + outpath except Exception, err: print('\nError: %s\n' % str(err)) if verbose_error_mode: traceback.print_exc()
def _add_stix_ttp(self, malware_subject): """Create and add a STIX TTP for a MAEC Malware Subject. Args: malware_subject: the ``maec.malware_subject.MalwareSubject`` for which the STIX TTP will be created. Returns: The ID of the newly created STIX TTP. """ # Create the STIX TTP that includes the MAEC Instance ttp = TTP() ttp.behavior = Behavior() # Add a MAEC Package with just the Malware Subject # For capturing the identity of the malware binary that the Indicators target maec_package = Package() new_malware_subject = MalwareSubject() new_malware_subject.malware_instance_object_attributes = malware_subject.malware_instance_object_attributes maec_package.add_malware_subject(new_malware_subject) maec_malware_instance = MAECInstance() maec_malware_instance.maec = maec_package ttp.behavior.add_malware_instance(maec_malware_instance) self.stix_package.add_ttp(ttp) return ttp.id_
def from_obj(cls, obj): if not obj: return None return_obj = cls() if _MAEC_INSTALLED: obj.MAEC = maecPackage.from_obj(obj.MAEC) else: obj.MAEC = obj.MAEC return_obj = super(MAECInstance, cls).from_obj(obj) return return_obj
def from_obj(cls, obj, return_obj=None): if not obj: return None if not return_obj: return_obj = cls() super(MAECInstance, cls).from_obj(obj, return_obj) if _MAEC_INSTALLED: return_obj.maec = maecPackage.from_obj(obj.MAEC) else: return_obj.maec = obj.MAEC return return_obj
def generate_package_from_parser(input_parser, options=None): # Parse the file and perform the translation into MAEC input_parser.parse_document() # Create the MAEC Package package = Package() # Get the Malware Subject malware_subject = input_parser.malware_subject # Check for the existence of the options structure and if any are set # If so, perform the appropriate actions if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() # Add the Malware Subject package.add_malware_subject(malware_subject) return package
def parse_xml(self, xml_file, check_version=True): """Creates a python-maec Bundle or Package object from the supplied xml_file. Arguments: xml_file -- A filename/path or a file-like object reprenting a MAEC instance (i.e. Package or Bundle) document check_version -- Inspect the version before parsing. """ parser = etree.ETCompatXMLParser(huge_tree=True, resolve_entities=False) tree = etree.parse(xml_file, parser=parser) api_obj = None binding_obj = self.parse_xml_to_obj(xml_file, check_version) if self.is_package: from maec.package.package import Package # resolve circular dependencies api_obj = Package.from_obj(binding_obj) elif self.is_bundle: from maec.bundle.bundle import Bundle # resolve circular dependencies api_obj = Bundle.from_obj(binding_obj) self._apply_input_namespaces(tree, api_obj) return api_obj
def generate_oval(self): #Basic input file checking if os.path.isfile(self.infilename): #Try parsing the MAEC file with both bindings package_obj = package_binding.parse(self.infilename) bundle_obj = bundle_binding.parse(self.infilename) try: sys.stdout.write('Generating ' + self.outfilename + ' from ' + self.infilename + '...') #Test whether the input is a Package or Bundle and process accordingly if bundle_obj.hasContent_(): maec_bundle = Bundle.from_obj(bundle_obj) self.process_bundle(maec_bundle) elif package_obj.hasContent_(): maec_package = Package.from_obj(package_obj) for malware_subject in maec_package.malware_subjects: for maec_bundle in malware_subject.findings_bundles.bundles: self.process_bundle(maec_bundle) #Build up the OVAL document from the parsed data and corresponding objects self.__build_oval_document() if len(self.converted_ids) > 0: #Export to the output file outfile = open(self.outfilename, 'w') self.ovaldefroot.export(outfile, 0, namespacedef_='xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:win-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows http://oval.mitre.org/language/version5.7/ovaldefinition/complete/windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 http://oval.mitre.org/language/version5.7/ovaldefinition/complete/oval-common-schema.xsd"') sys.stdout.write('Done\n') else: sys.stdout.write('no OVAL output written; 0 actions were converted.\n') if self.stat_mode: print '\n**Converted Actions**' for action_id in self.converted_ids: print 'Action ' + action_id + ' converted successfully' print '**Skipped Actions**' for action_id in self.skipped_actions: print 'Action ' + action_id + ' skipped; incompatible action/object type or missing object attributes' except Exception, err: print('\nError: %s\n' % str(err)) if self.verbose_mode: traceback.print_exc()
def from_dict(cls, d, return_obj=None): if not d: return None if not return_obj: return_obj = cls() super(MAECInstance, cls).from_dict(d, return_obj) if 'maec' in d: maec = d['maec'] if isinstance(maec, dict): if not _MAEC_INSTALLED: raise ValueError( "Unable to parse 'maec' value in dictionary. Please " "install python-maec to parse dictionary value.") return_obj.maec = maecPackage.from_dict(maec) else: parser = stix.utils.parser.get_xml_parser() return_obj.maec = etree.parse(StringIO(maec), parser=parser) return return_obj
def from_dict(cls, d, return_obj=None): if not d: return None if not return_obj: return_obj = cls() super(MAECInstance, cls).from_dict(d, return_obj) if 'maec' in d: maec = d['maec'] if isinstance(maec, dict): if not _MAEC_INSTALLED: raise ValueError( "Unable to parse 'maec' value in dictionary. Please " "install python-maec to parse dictionary value." ) return_obj.maec = maecPackage.from_dict(maec) else: parser = stix.utils.parser.get_xml_parser() return_obj.maec = etree.parse(StringIO(maec), parser=parser) return return_obj
def test_positive_stix_indicators(self): maec_package = Package.from_xml(self._maec_package_positive)[0] extractor = IndicatorExtractor(maec_package) stix_package = extractor.extract() self.assertEquals(len(stix_package.indicators), 4)
from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.bundle.process_tree import ProcessTree, ProcessTreeNode from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.common import ToolInformation, VocabString # サンプルの名前空間に(自動ID生成用の)IDジェネレータクラスをインスタンス化 NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # インスタンス化:Bundle, Package, MalwareSubject, Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "APIMonitor" t.vendor = "APIMonitor" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト
def test_stix_ttp_malware_instances(self): maec_package = Package.from_xml(self._maec_package)[0] stix_package = wrap_maec(maec_package) stix_ttp = stix_package.ttps[0] malware_instances = stix_ttp.behavior.malware_instances self.assertEquals(len(malware_instances), 1)
# Code for MAEC In-depth Analysis Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle, BehaviorReference from maec.bundle.malware_action import MalwareAction from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference from cybox.core import Object, AssociatedObject, AssociatedObjects from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.objects.win_hook_object import WinHook from cybox.common import VocabString # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
def __init__(self, pefile_parser): self.pefile_parser = pefile_parser NS = Namespace("http://code.google.com/p/pefile/", "pefile") maec.utils.set_id_namespace(NS) self.package = Package() self.generate_maec()
def test_stix_ttp(self): maec_package = Package.from_xml(self._maec_package)[0] stix_package = wrap_maec(maec_package) self.assertEquals(len(stix_package.ttps), 1)
# Code for MAEC In-depth Analysis Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle, BehaviorReference from maec.bundle.malware_action import MalwareAction from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference from cybox.core import Object, AssociatedObject, AssociatedObjects from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.objects.win_hook_object import WinHook from cybox.common import VocabString # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash( "B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_)
class PefileToMAEC(object): def __init__(self, pefile_parser): self.pefile_parser = pefile_parser NS = Namespace("http://code.google.com/p/pefile/", "pefile") maec.utils.set_id_namespace(NS) self.package = Package() self.generate_maec() def create_object_dict(self, properties_dict): object_dict = {'id': maec.utils.idgen.create_id(prefix="object"), 'properties': properties_dict} return object_dict def populate(self, entry_dict, static_bundle, malware_subject=None): if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1: file_dict = self.create_object_dict(entry_dict['file']) if malware_subject: malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict) # Add the hashes for the Malware Instance Object Attributes data = open(self.pefile_parser.infile, 'rb').read() if data: md5_hash = hashlib.md5(data).hexdigest() sha1_hash = hashlib.sha1(data).hexdigest() malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash) malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash) else: static_bundle.add_object(Object.from_dict(file_dict)) if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1: pe_dict = self.create_object_dict(entry_dict['pe']) static_bundle.add_object(Object.from_dict(pe_dict)) def generate_analysis(self, static_bundle): analysis = Analysis() analysis.type = 'triage' analysis.method = 'static' analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"), 'vendor': 'Ero Carrera', 'name': 'pefile'})) findings_bundle_reference = [] if self.bundle_has_content(static_bundle): findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_})) analysis.findings_bundle_reference = findings_bundle_reference return analysis def bundle_has_content(self, bundle): if bundle.actions and len(bundle.actions) > 0: return True if bundle.objects and len(bundle.objects) > 0: return True if bundle.behaviors and len(bundle.behaviors) > 0: return True return False def generate_malware_subjects(self): entry_dict = self.pefile_parser.entry_dict malware_subject = MalwareSubject() entry_dict['id'] = malware_subject static_bundle = Bundle(None, False, '4.1', 'static analysis tool output') self.populate(entry_dict, static_bundle, malware_subject) malware_subject.add_analysis(self.generate_analysis(static_bundle)) if self.bundle_has_content(static_bundle): malware_subject.add_findings_bundle(static_bundle) self.package.add_malware_subject(malware_subject) def generate_maec(self): self.generate_malware_subjects()
from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.package.analysis import Analysis from maec.package.malware_subject import MalwareSubject from maec.package.package import Package from maec.id_generator import Generator from maec.utils import MAECNamespaceParser from cybox.core.object import Object from cybox.core.associated_object import AssociatedObject #Instantiate the ID generator class (for automatic ID generation) with our example namespace generator = Generator('example1') #Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(id=generator.generate_bundle_id(), defined_subject=False) package = Package(id=generator.generate_package_id()) subject = MalwareSubject(id=generator.generate_malware_subject_id()) analysis = Analysis(id=generator.generate_analysis_id()) #Create the Subject Object Dictionary for use in the Malware Instance Object Attributes subject_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'name' : 'foobar.exe', 'size_in_bytes' : '35532'}} #Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(Object.from_dict(subject_object_dict)) #Create the Associated Object Dictionary for use in the Action associated_object_dict = {'id' : generator.generate_object_id(), 'properties' : {'xsi:type' : 'FileObjectType', 'file_name' : 'abcd.dll', 'size_in_bytes' : '12346'}, 'association_type' : {'value' : 'output', 'xsi:type' : 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'}} #Create the Action from another dictionary action = MalwareAction.from_dict({'id' : generator.generate_malware_action_id(), 'name' : {'value' : 'create file', 'xsi:type' : 'maecVocabs:FileActionNameVocab-1.0'}, 'associated_objects' : [associated_object_dict]}) #Add the Action to the buundle bundle.add_action(action) #Add the Bundle to the Malware Subject subject.add_findings_bundle(bundle) #Add the Malware Subject to the Package
def test_negative_stix_indicators(self): maec_package = Package.from_xml(self._maec_package_negative)[0] extractor = IndicatorExtractor(maec_package) stix_package = extractor.extract() self.assertEquals(stix_package, None)
# Code for MAEC Related Malware Idiom from maec.package.package import Package from maec.package.malware_subject import (MalwareSubject, MalwareSubjectRelationship, MalwareSubjectRelationshipList, MalwareSubjectReference) from cybox.common import VocabString from cybox.core import Object from cybox.objects.file_object import File # Set up the necessary Package and Malware Subject instances p = Package() ms1 = MalwareSubject() ms2 = MalwareSubject() ms3 = MalwareSubject() ms4 = MalwareSubject() # Set the Malware_Instance_Object_Attributes on the first Malware Subject ms1.malware_instance_object_attributes = Object() ms1.malware_instance_object_attributes.properties = File() ms1.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe" ms1.malware_instance_object_attributes.properties.size_in_bytes = "196608" ms1.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") # Set the Malware_Instance_Object_Attributes on the second Malware Subject ms2.malware_instance_object_attributes = Object() ms2.malware_instance_object_attributes.properties = File() ms2.malware_instance_object_attributes.properties.file_name = "msvcr.dll" # Set the Malware_Instance_Object_Attributes on the third Malware Subject ms3.malware_instance_object_attributes = Object() ms3.malware_instance_object_attributes.properties = File() ms3.malware_instance_object_attributes.properties.file_name = "fvcwin32.exe"
from cybox.objects.file_object import File from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.bundle.capability import Capability from maec.package.analysis import Analysis from maec.package.malware_subject import MalwareSubject from maec.package.package import Package from cybox.utils import Namespace import maec.utils # Instantiate the ID generator class (for automatic ID generation) with our example namespace NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # Instantiate the Bundle, Package, MalwareSubject, and Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Create the Object for use in the Malware Instance Object Attributes subject_object = Object() subject_object.properties = File() subject_object.properties.name = "foobar.exe" subject_object.properties.size_in_bytes = "35532" subject_object.properties.hashes = HashList() subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5")) # Set the Malware Instance Object Attributes with an Object constructed from the dictionary subject.set_malware_instance_object_attributes(subject_object) # Create the Associated Object Dictionary for use in the Action associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = "abcd.dll"
def vt_report_to_maec_package(vt_report_input, options = None): """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object.""" NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC") maec.utils.set_id_namespace(NS) package = Package() # if only one result, make it a list of one result if type(vt_report_input) != list: vt_report_list = [vt_report_input] else: vt_report_list = vt_report_input for idx, vt_report in enumerate(vt_report_list): # if VirusTotal has never seen this MD5 if vt_report["response_code"] == 0: sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n") sys.stderr.flush(); continue if vt_report["response_code"] == -1: sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " + vt_report.get("verbose_message", "no message provided") + "\n") sys.stderr.flush(); continue malware_subject = MalwareSubject() # create the file object and add hashes file_dict = {} file_dict['xsi:type'] = 'WindowsExecutableFileObjectType' file_dict['hashes'] = [ {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] }, {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] }, {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] } ] # set the object as the defined object object_dict = {} object_dict['id'] = maec.utils.idgen.create_id(prefix="object") object_dict['properties'] = file_dict # bind the object to the malware subject object malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict)) # create the analysis and add it to the subject analysis = Analysis() analysis.type_ = 'triage' analysis.method = 'static' analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T") analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"), 'vendor' : 'VirusTotal', 'name' : 'VirusTotal' })) malware_subject.add_analysis(analysis) bundle_obj = Bundle() for vendor, scan in vt_report["scans"].items(): if scan["result"] is not None: bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor })) # add bundle to subject, bundle to analysis, and subject to package malware_subject.add_findings_bundle(bundle_obj) analysis.set_findings_bundle(bundle_obj.id_) package.add_malware_subject(malware_subject) package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC" if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() return package