def from_dict(observable_dict): if not observable_dict: return None from cybox.core import PatternFidelity obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict( observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.event = Object.from_dict(observable_dict.get('event')) obs.observable_composition = ObservableComposition.from_dict( observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') obs.sighting_count = observable_dict.get('sighting_count') if observable_dict.get('observable_source'): obs.observable_source = [ MeasureSource.from_dict(x) for x in observable_dict.get('observable_source') ] obs.keywords = Keywords.from_dict(observable_dict.get('keywords')) obs.pattern_fidelity = PatternFidelity.from_dict( observable_dict.get('pattern_fidelity')) return obs
def from_dict(object_dict): if not object_dict: return None obj = Object.from_dict(object_dict, AssociatedObject()) obj.association_type = AssociationType.from_dict( object_dict.get('association_type', None)) return obj
def populate(self, entry_dict, static_bundle, malware_subject=None): if 'file' in entry_dict and len(entry_dict['file'].keys()) > 1: file_dict = self.create_object_dict(entry_dict['file']) if malware_subject: malware_subject.malware_instance_object_attributes = Object.from_dict(file_dict) # Add the hashes for the Malware Instance Object Attributes data = open(self.pefile_parser.infile, 'rb').read() if data: md5_hash = hashlib.md5(data).hexdigest() sha1_hash = hashlib.sha1(data).hexdigest() malware_subject.malware_instance_object_attributes.properties.add_hash(md5_hash) malware_subject.malware_instance_object_attributes.properties.add_hash(sha1_hash) else: static_bundle.add_object(Object.from_dict(file_dict)) if 'pe' in entry_dict and len(entry_dict['pe'].keys()) > 1: pe_dict = self.create_object_dict(entry_dict['pe']) static_bundle.add_object(Object.from_dict(pe_dict))
def from_dict(observable_dict): if not observable_dict: return None obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict(observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.event = Object.from_dict(observable_dict.get('event')) obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') obs.sighting_count = observable_dict.get('sighting_count') if observable_dict.get('observable_source'): obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')] return obs
def from_dict(observable_dict): if not observable_dict: return None from cybox.core import PatternFidelity obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict(observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.event = Object.from_dict(observable_dict.get('event')) obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') obs.sighting_count = observable_dict.get('sighting_count') if observable_dict.get('observable_source'): obs.observable_source = [MeasureSource.from_dict(x) for x in observable_dict.get('observable_source')] obs.keywords = Keywords.from_dict(observable_dict.get('keywords')) obs.pattern_fidelity = PatternFidelity.from_dict(observable_dict.get('pattern_fidelity')) return obs
def from_dict(observable_dict): if not observable_dict: return None obs = Observable() obs.id_ = observable_dict.get('id') obs.title = observable_dict.get('title') obs.description = StructuredText.from_dict(observable_dict.get('description')) obs.object_ = Object.from_dict(observable_dict.get('object')) obs.observable_composition = ObservableComposition.from_dict(observable_dict.get('observable_composition')) obs.idref = observable_dict.get('idref') return obs
def from_dict(malware_subject_dict): if not malware_subject_dict: return None malware_subject_ = MalwareSubject(None) malware_subject_.id = malware_subject_dict.get('id') malware_subject_.malware_instance_object_attributes = Object.from_dict(malware_subject_dict.get('malware_instance_object_attributes')) malware_subject_.minor_variants = MinorVariants.from_list(malware_subject_dict.get('minor_variants')) malware_subject_.configuration_details = MalwareConfigurationDetails.from_dict(malware_subject_dict.get('configuration_details')) malware_subject_.development_environment = MalwareDevelopmentEnvironment.from_dict(malware_subject_dict.get('development_environment')) malware_subject_.field_data = None #TODO: add support malware_subject_.analyses = Analyses.from_list(malware_subject_dict.get('analyses')) malware_subject_.findings_bundles = FindingsBundleList.from_dict(malware_subject_dict.get('findings_bundles')) malware_subject_.relationships = MalwareSubjectRelationshipList.from_list(malware_subject_dict.get('id')) if malware_subject_dict.get('label'): malware_subject_.label = [VocabString.from_dict(x) for x in malware_subject_dict.get('label')] if malware_subject_dict.get('compatible_platform'): malware_subject_.compatible_platform = [PlatformSpecification.from_dict(x) for x in malware_subject_dict.get('compatible_platform')] return malware_subject_
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [x.malware_instance_object_attributes for x in binned_list] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = maec.utils.idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'simple_hash_value')) hashes = HashList(deduplicate_vocabulary_list(hashes, value_name = 'fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list(itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [x.configuration_details for x in binned_list if x.configuration_details] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict(merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list(itertools.chain(*[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list(itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles([x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list(itertools.chain(*[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list(itertools.chain(*[x.compatible_platform for x in binned_list if x.compatible_platform])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants(merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList(merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms
def from_dict(bundle_dict): if not bundle_dict: return None bundle_ = Bundle(None, None) bundle_.id = bundle_dict.get('id') bundle_.schema_version = bundle_dict.get('schema_version') bundle_.defined_subject = bundle_dict.get('defined_subject') bundle_.content_type = bundle_dict.get('content_type') bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get('timestamp'), "%Y-%m-%dT%H:%M:%S.%f") bundle_.malware_instance_object_attributes = Object.from_dict(bundle_dict.get('malware_instance_object_attributes')) bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get('av_classifications')) bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get('process_tree')) bundle_.behaviors = BehaviorList.from_list(bundle_dict.get('behaviors', [])) bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get('capabilities')) bundle_.actions = ActionList.from_list(bundle_dict.get('actions', [])) bundle_.objects = ObjectList.from_list(bundle_dict.get('objects', [])) bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get('candidate_indicators', [])) bundle_.collections = Collections.from_dict(bundle_dict.get('collections')) return bundle_
def from_dict(bundle_dict): if not bundle_dict: return None bundle_ = Bundle(None, None) bundle_.id = bundle_dict.get("id") bundle_.schema_version = bundle_dict.get("schema_version") bundle_.defined_subject = bundle_dict.get("defined_subject") bundle_.content_type = bundle_dict.get("content_type") bundle_.timestamp = datetime.datetime.strptime(bundle_dict.get("timestamp"), "%Y-%m-%dT%H:%M:%S.%f") bundle_.malware_instance_object_attributes = Object.from_dict( bundle_dict.get("malware_instance_object_attributes") ) bundle_.av_classifications = AVClassifications.from_list(bundle_dict.get("av_classifications")) bundle_.process_tree = ProcessTree.from_dict(bundle_dict.get("process_tree")) bundle_.behaviors = BehaviorList.from_list(bundle_dict.get("behaviors", [])) bundle_.capabilities = CapabilityList.from_dict(bundle_dict.get("capabilities")) bundle_.actions = ActionList.from_list(bundle_dict.get("actions", [])) bundle_.objects = ObjectList.from_list(bundle_dict.get("objects", [])) bundle_.candidate_indicators = CandidateIndicatorList.from_list(bundle_dict.get("candidate_indicators", [])) bundle_.collections = Collections.from_dict(bundle_dict.get("collections")) return bundle_
def from_dict(object_dict): if not object_dict: return None obj = Object.from_dict(object_dict, AssociatedObject()) obj.association_type_ = VocabString.from_dict(object_dict.get('association_type', None)) return obj
def merge_binned_malware_subjects(merged_malware_subject, binned_list, id_mappings_dict): '''Merge a list of input binned (related) Malware Subjects''' # Merge the Malware_Instance_Object_Attributes mal_inst_obj_list = [ x.malware_instance_object_attributes for x in binned_list ] merged_inst_obj = Object.from_dict(merge_entities(mal_inst_obj_list)) # Give the merged Object a new ID merged_inst_obj.id_ = idgen.create_id('object') # Deduplicate the hash values, if they exist if merged_inst_obj.properties and merged_inst_obj.properties.hashes: hashes = merged_inst_obj.properties.hashes hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='simple_hash_value')) hashes = HashList( deduplicate_vocabulary_list(hashes, value_name='fuzzy_hash_value')) merged_inst_obj.properties.hashes = hashes # Merge and deduplicate the labels merged_labels = list( itertools.chain(*[x.label for x in binned_list if x.label])) deduplicated_labels = deduplicate_vocabulary_list(merged_labels) # Merge the configuration details config_details_list = [ x.configuration_details for x in binned_list if x.configuration_details ] merged_config_details = None if config_details_list: merged_config_details = MalwareConfigurationDetails.from_dict( merge_entities(config_details_list)) # Merge the minor variants merged_minor_variants = list( itertools.chain( *[x.minor_variants for x in binned_list if x.minor_variants])) # Merge the field data # TODO: Add support. Not implemented in the APIs. # Merge the analyses merged_analyses = list( itertools.chain(*[x.analyses for x in binned_list if x.analyses])) # Merge the findings bundles merged_findings_bundles = merge_findings_bundles( [x.findings_bundles for x in binned_list if x.findings_bundles]) # Merge the relationships merged_relationships = list( itertools.chain( *[x.relationships for x in binned_list if x.relationships])) # Merge the compatible platforms merged_compatible_platforms = list( itertools.chain(*[ x.compatible_platform for x in binned_list if x.compatible_platform ])) # Build the merged Malware Subject merged_malware_subject.malware_instance_object_attributes = merged_inst_obj if deduplicated_labels: merged_malware_subject.label = deduplicated_labels if merged_config_details: merged_malware_subject.configuration_details = merged_config_details if merged_minor_variants: merged_malware_subject.minor_variants = MinorVariants( merged_minor_variants) if merged_analyses: merged_malware_subject.analyses = Analyses(merged_analyses) if merged_findings_bundles: merged_malware_subject.findings_bundles = merged_findings_bundles if merged_relationships: merged_malware_subject.relationships = MalwareSubjectRelationshipList( merged_relationships) if merged_compatible_platforms: merged_malware_subject.compatible_platform = merged_compatible_platforms