def associated(name,path,byte,value="output"): associated_object = AssociatedObject() associated_object.properties = File() associated_object.properties.file_name = name associated_object.properties.file_path = path associated_object.properties.size_in_bytes = byte associated_object.association_type = VocabString() #これはなんだ? associated_object.association_type.value = value associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' return associated_object
def registry_reads(registry):
a = MalwareAction()
ao = AssociatedObject()
a.name = "Read Registry Key Value"
a.type_= "Read"
ao.properties = win_registry_key_object.WinRegistryKey()
ao.properties.key = registry["key"]
if registry.has_key("data"):
value = win_registry_key_object.RegistryValue()
if registry.has_key("value"):
value.name = registry["value"]
value.data = registry["data"]
values = win_registry_key_object.RegistryValues([value])
ao.properties.values = values
ao.association_type = VocabString()
ao.association_type.value = ""
ao.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
a.associated_objects = AssociatedObjects()
a.associated_objects.append(ao)
return a
from maec.bundle.malware_action import MalwareAction from maec.utils import IDGenerator, set_id_method from cybox.core import Object, AssociatedObjects, AssociatedObject, AssociationType from cybox.objects.file_object import File # Instantiate the MAEC/CybOX Entities set_id_method(IDGenerator.METHOD_INT) b = Bundle() a = MalwareAction() ao = AssociatedObject() # Build the Associated Object for use in the Action ao.properties = File() ao.properties.file_name = "badware.exe" ao.properties.size_in_bytes = "123456" ao.association_type = AssociationType() ao.association_type.value = 'output' ao.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0' # Build the Action and add the Associated Object to it a.name = 'create file' a.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0' a.associated_objects = AssociatedObjects() a.associated_objects.append(ao) # Add the Action to the Bundle b.add_action(a) # Output the Bundle to stdout print b.to_xml(include_namespaces = False)
a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex() o2.properties.name = "redem-Mutex" o2.association_type = VocabString() o2.association_type.value = "output" o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
action.name.value = 'create file'
action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
capability = Capability()
capability.name = 'persistence'
# Add the Capability to the Bundle
a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe"
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = 'foobar.exe'
subject_object.properties.size_in_bytes = '35532'
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(
Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = 'abcd.dll'
associated_object.properties.size_in_bytes = '123456'
associated_object.association_type = VocabString()
associated_object.association_type.value = 'output'
associated_object.association_type.xsi_type = 'maecVocabs:ActionObjectAssociationTypeVocab-1.0'
# Create the Action from another dictionary
action = MalwareAction()
action.name = VocabString()
action.name.value = 'create file'
action.name.xsi_type = 'maecVocabs:FileActionNameVocab-1.0'
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
capability = Capability()
capability.name = 'persistence'
# Add the Capability to the Bundle
analysis = Analysis()
# Create the Object for use in the Malware Instance Object Attributes
subject_object = Object()
subject_object.properties = File()
subject_object.properties.name = "foobar.exe"
subject_object.properties.size_in_bytes = "35532"
subject_object.properties.hashes = HashList()
subject_object.properties.hashes.append(Hash("8743b52063cd84097a65d1633f5c74f5"))
# Set the Malware Instance Object Attributes with an Object constructed from the dictionary
subject.set_malware_instance_object_attributes(subject_object)
# Create the Associated Object Dictionary for use in the Action
associated_object = AssociatedObject()
associated_object.properties = File()
associated_object.properties.file_name = "abcd.dll"
associated_object.properties.size_in_bytes = "123456"
associated_object.association_type = AssociationType()
associated_object.association_type.value = "output"
associated_object.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
# Create the Action from another dictionary
action = MalwareAction()
action.name = "create file"
action.name.xsi_type = "maecVocabs:FileActionNameVocab-1.0"
action.associated_objects = AssociatedObjects()
action.associated_objects.append(associated_object)
# Add the Action to the Bundle
bundle.add_action(action)
# Create the Capability from another dictionary
capability = Capability()
capability.name = "persistence"
# Add the Capability to the Bundle
bundle.add_capability(capability)
