def from_dict(observable_dict):
if not observable_dict:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(
observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.event = Object.from_dict(observable_dict.get('event'))
obs.observable_composition = ObservableComposition.from_dict(
observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
obs.sighting_count = observable_dict.get('sighting_count')
if observable_dict.get('observable_source'):
obs.observable_source = [
MeasureSource.from_dict(x)
for x in observable_dict.get('observable_source')
]
obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
obs.pattern_fidelity = PatternFidelity.from_dict(
observable_dict.get('pattern_fidelity'))
return obs
def from_dict(object_dict):
if not object_dict:
return None
obj = Object.from_dict(object_dict, AssociatedObject())
obj.association_type = AssociationType.from_dict(
object_dict.get('association_type', None))
return obj
def populate(self, entry_dict, static_bundle, malware_subject=None):
if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
file_dict = self.create_object_dict(entry_dict['file'])
if malware_subject:
malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
# Add the hashes for the Malware Instance Object Attributes
data = open(self.pefile_parser.infile, 'rb').read()
if data:
md5_hash = hashlib.md5(data).hexdigest()
sha1_hash = hashlib.sha1(data).hexdigest()
malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
else:
static_bundle.add_object(Object.from_dict(file_dict))
if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
pe_dict = self.create_object_dict(entry_dict['pe'])
static_bundle.add_object(Object.from_dict(pe_dict))
def populate(self, entry_dict, static_bundle, malware_subject=None):
if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1:
file_dict = self.create_object_dict(entry_dict['file'])
if malware_subject:
malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict)
# Add the hashes for the Malware Instance Object Attributes
data = open(self.pefile_parser.infile, 'rb').read()
if data:
md5_hash = hashlib.md5(data).hexdigest()
sha1_hash = hashlib.sha1(data).hexdigest()
malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash)
malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash)
else:
static_bundle.add_object(Object.from_dict(file_dict))
if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1:
pe_dict = self.create_object_dict(entry_dict['pe'])
static_bundle.add_object(Object.from_dict(pe_dict))
def from_dict(observable_dict):
if not observable_dict:
return None
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.event = Object.from_dict(observable_dict.get('event'))
obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
obs.sighting_count = observable_dict.get('sighting_count')
if observable_dict.get('observable_source'):
obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]
return obs
def from_dict(observable_dict):
if not observable_dict:
return None
from cybox.core import PatternFidelity
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.event = Object.from_dict(observable_dict.get('event'))
obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
obs.sighting_count = observable_dict.get('sighting_count')
if observable_dict.get('observable_source'):
obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')]
obs.keywords = Keywords.from_dict(observable_dict.get('keywords'))
obs.pattern_fidelity = PatternFidelity.from_dict(observable_dict.get('pattern_fidelity'))
return obs
def from_dict(observable_dict):
if not observable_dict:
return None
obs = Observable()
obs.id_ = observable_dict.get('id')
obs.title = observable_dict.get('title')
obs.description = StructuredText.from_dict(observable_dict.get('description'))
obs.object_ = Object.from_dict(observable_dict.get('object'))
obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition'))
obs.idref = observable_dict.get('idref')
return obs
def from_dict(malware_subject_dict):
if not malware_subject_dict:
return None
malware_subject_ = MalwareSubject(None)
malware_subject_.id = malware_subject_dict.get('id')
malware_subject_.malware_instance_object_attributes = Object.from_dict(malware_subject_dict.get('malware_instance_object_attributes'))
malware_subject_.minor_variants = MinorVariants.from_list(malware_subject_dict.get('minor_variants'))
malware_subject_.configuration_details = MalwareConfigurationDetails.from_dict(malware_subject_dict.get('configuration_details'))
malware_subject_.development_environment = MalwareDevelopmentEnvironment.from_dict(malware_subject_dict.get('development_environment'))
malware_subject_.field_data = None #TODO: add support
malware_subject_.analyses = Analyses.from_list(malware_subject_dict.get('analyses'))
malware_subject_.findings_bundles = FindingsBundleList.from_dict(malware_subject_dict.get('findings_bundles'))
malware_subject_.relationships = MalwareSubjectRelationshipList.from_list(malware_subject_dict.get('id'))
if malware_subject_dict.get('label'):
malware_subject_.label = [VocabString.from_dict(x) for x in malware_subject_dict.get('label')]
if malware_subject_dict.get('compatible_platform'):
malware_subject_.compatible_platform = [PlatformSpecification.from_dict(x) for x in malware_subject_dict.get('compatible_platform')]
return malware_subject_
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict):
'''Merge a list of input binned (related) Malware Subjects'''
# Merge the Malware_Instance_Object_Attributes
mal_inst_obj_list = [x.malware_instance_object_attributes for x in binned_list]
merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list))
# Give the merged Object a new ID
merged_inst_obj.id_ = maec.utils.idgen.create_id('object')
# Deduplicate the hash values, if they exist
if merged_inst_obj.properties and merged_inst_obj.properties.hashes:
hashes = merged_inst_obj.properties.hashes
hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'simple_hash_value'))
hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'fuzzy_hash_value'))
merged_inst_obj.properties.hashes = hashes
# Merge and deduplicate the labels
merged_labels = list(itertools.chain(*[x.label for x in binned_list if x.label]))
deduplicated_labels = deduplicate_vocabulary_list(merged_labels)
# Merge the configuration details
config_details_list = [x.configuration_details for x in binned_list if x.configuration_details]
merged_config_details = None
if config_details_list:
merged_config_details = MalwareConfigurationDetails.from_dict(merge_entities(config_details_list))
# Merge the minor variants
merged_minor_variants = list(itertools.chain(*[x.minor_variants for x in binned_list if x.minor_variants]))
# Merge the field data # TODO: Add support. Not implemented in the APIs.
# Merge the analyses
merged_analyses = list(itertools.chain(*[x.analyses for x in binned_list if x.analyses]))
# Merge the findings bundles
merged_findings_bundles = merge_findings_bundles([x.findings_bundles for x in binned_list if x.findings_bundles])
# Merge the relationships
merged_relationships = list(itertools.chain(*[x.relationships for x in binned_list if x.relationships]))
# Merge the compatible platforms
merged_compatible_platforms = list(itertools.chain(*[x.compatible_platform for x in binned_list if x.compatible_platform]))
# Build the merged Malware Subject
merged_malware_subject.malware_instance_object_attributes = merged_inst_obj
if deduplicated_labels: merged_malware_subject.label = deduplicated_labels
if merged_config_details: merged_malware_subject.configuration_details = merged_config_details
if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants(merged_minor_variants)
if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses)
if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles
if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList(merged_relationships)
if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
def from_dict(bundle_dict):
if not bundle_dict:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_dict.get('id')
bundle_.schema_version = bundle_dict.get('schema_version')
bundle_.defined_subject = bundle_dict.get('defined_subject')
bundle_.content_type = bundle_dict.get('content_type')
bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get('timestamp'), "%Y-%m-%dT%H:%M:%S.%f")
bundle_.malware_instance_object_attributes = Object.from_dict(bundle_dict.get('malware_instance_object_attributes'))
bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get('av_classifications'))
bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get('process_tree'))
bundle_.behaviors = BehaviorList.from_list(bundle_dict.get('behaviors', []))
bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get('capabilities'))
bundle_.actions = ActionList.from_list(bundle_dict.get('actions', []))
bundle_.objects = ObjectList.from_list(bundle_dict.get('objects', []))
bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get('candidate_indicators', []))
bundle_.collections = Collections.from_dict(bundle_dict.get('collections'))
return bundle_
def from_dict(bundle_dict):
if not bundle_dict:
return None
bundle_ = Bundle(None, None)
bundle_.id = bundle_dict.get("id")
bundle_.schema_version = bundle_dict.get("schema_version")
bundle_.defined_subject = bundle_dict.get("defined_subject")
bundle_.content_type = bundle_dict.get("content_type")
bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get("timestamp"), "%Y-%m-%dT%H:%M:%S.%f")
bundle_.malware_instance_object_attributes = Object.from_dict(
bundle_dict.get("malware_instance_object_attributes")
)
bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get("av_classifications"))
bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get("process_tree"))
bundle_.behaviors = BehaviorList.from_list(bundle_dict.get("behaviors", []))
bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get("capabilities"))
bundle_.actions = ActionList.from_list(bundle_dict.get("actions", []))
bundle_.objects = ObjectList.from_list(bundle_dict.get("objects", []))
bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get("candidate_indicators", []))
bundle_.collections = Collections.from_dict(bundle_dict.get("collections"))
return bundle_
def from_dict(object_dict):
if not object_dict:
return None
obj = Object.from_dict(object_dict, AssociatedObject())
obj.association_type_ = VocabString.from_dict(object_dict.get('association_type', None))
return obj
def merge_binned_malware_subjects(merged_malware_subject, binned_list,
id_mappings_dict):
'''Merge a list of input binned (related) Malware Subjects'''
# Merge the Malware_Instance_Object_Attributes
mal_inst_obj_list = [
x.malware_instance_object_attributes for x in binned_list
]
merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list))
# Give the merged Object a new ID
merged_inst_obj.id_ = idgen.create_id('object')
# Deduplicate the hash values, if they exist
if merged_inst_obj.properties and merged_inst_obj.properties.hashes:
hashes = merged_inst_obj.properties.hashes
hashes = HashList(
deduplicate_vocabulary_list(hashes,
value_name='simple_hash_value'))
hashes = HashList(
deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value'))
merged_inst_obj.properties.hashes = hashes
# Merge and deduplicate the labels
merged_labels = list(
itertools.chain(*[x.label for x in binned_list if x.label]))
deduplicated_labels = deduplicate_vocabulary_list(merged_labels)
# Merge the configuration details
config_details_list = [
x.configuration_details for x in binned_list if x.configuration_details
]
merged_config_details = None
if config_details_list:
merged_config_details = MalwareConfigurationDetails.from_dict(
merge_entities(config_details_list))
# Merge the minor variants
merged_minor_variants = list(
itertools.chain(
*[x.minor_variants for x in binned_list if x.minor_variants]))
# Merge the field data # TODO: Add support. Not implemented in the APIs.
# Merge the analyses
merged_analyses = list(
itertools.chain(*[x.analyses for x in binned_list if x.analyses]))
# Merge the findings bundles
merged_findings_bundles = merge_findings_bundles(
[x.findings_bundles for x in binned_list if x.findings_bundles])
# Merge the relationships
merged_relationships = list(
itertools.chain(
*[x.relationships for x in binned_list if x.relationships]))
# Merge the compatible platforms
merged_compatible_platforms = list(
itertools.chain(*[
x.compatible_platform for x in binned_list if x.compatible_platform
]))
# Build the merged Malware Subject
merged_malware_subject.malware_instance_object_attributes = merged_inst_obj
if deduplicated_labels: merged_malware_subject.label = deduplicated_labels
if merged_config_details:
merged_malware_subject.configuration_details = merged_config_details
if merged_minor_variants:
merged_malware_subject.minor_variants = MinorVariants(
merged_minor_variants)
if merged_analyses:
merged_malware_subject.analyses = Analyses(merged_analyses)
if merged_findings_bundles:
merged_malware_subject.findings_bundles = merged_findings_bundles
if merged_relationships:
merged_malware_subject.relationships = MalwareSubjectRelationshipList(
merged_relationships)
if merged_compatible_platforms:
merged_malware_subject.compatible_platform = merged_compatible_platforms
