def test_round_trip(self): o = Analysis() o.source = Source() o.source.name = "ThreatExpert" o.source.organization = "ThreatExpert" o.source.method = "triage" o.source.url = "http://www.threatexpert.com" o.start_datetime = "2014-08-06T18:30:00" o2 = round_trip(o, True) self.assertEqual(o.to_dict(), o2.to_dict())
def generate_analysis(self, static_bundle): analysis = Analysis() analysis.type = 'triage' analysis.method = 'static' analysis.add_tool(ToolInformation.from_dict({'id': maec.utils.idgen.create_id(prefix="tool"), 'vendor': 'Ero Carrera', 'name': 'pefile'})) findings_bundle_reference = [] if self.bundle_has_content(static_bundle): findings_bundle_reference.append(BundleReference.from_dict({'bundle_idref':static_bundle.id_})) analysis.findings_bundle_reference = findings_bundle_reference return analysis
# Code for MAEC Dynamic Analysis Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from cybox.core import Object, AssociatedObject, AssociatedObjects from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.objects.win_mutex_object import WinMutex from cybox.common import ToolInformation, VocabString # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash( "B6C39FF68346DCC8B67AA060DEFE40C2") ms.malware_instance_object_attributes.properties.add_hash( "D55B0FB96FAD96D203D10850469489FC03E6F2F7") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation()
# Code for MAEC Process Tree Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.bundle.process_tree import ProcessTree, ProcessTreeNode from cybox.core import Object, AssociatedObject, AssociatedObjects from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.common import ToolInformation, VocabString # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "251904" ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221") ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab"
# Code for MAEC AV Classification Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle from maec.bundle.av_classification import AVClassification from cybox.core import Object from cybox.objects.win_executable_file_object import WinExecutableFile # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.add_hash("076e5b2bae0b4b3a3d81c85610b95cd4") ms.malware_instance_object_attributes.properties.add_hash("4484e08903744ceeaedd8f5e1bfc06b2c4688e76") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "triage" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle b.defined_subject = False b.content_type = "static analysis tool output" # Create the AV Classifications
from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle from maec.bundle.malware_action import MalwareAction from maec.bundle.process_tree import ProcessTree, ProcessTreeNode from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.common import ToolInformation, VocabString # サンプルの名前空間に(自動ID生成用の)IDジェネレータクラスをインスタンス化 NS = Namespace("http://example.com/", "example") maec.utils.set_id_namespace(NS) # インスタンス化:Bundle, Package, MalwareSubject, Analysis classes bundle = Bundle(defined_subject=False) package = Package() subject = MalwareSubject() analysis = Analysis() # Populate the Analysis with the metadata relating to the Analysis that was performed analysis.method = "dynamic" analysis.type_ = "triage" analysis.set_findings_bundle(bundle.id_) t = ToolInformation() t.name = "APIMonitor" t.vendor = "APIMonitor" analysis.add_tool(t) # Malware Instance Object Attribures内で使うためのオブジェクトを作成(マルウェアを含んだファイル?) subject_object = Object() #オブジェクト subject_object.properties = File() #ファイルオブジェクト subject_object.properties.file_name = 'seminor.doc' # ファイル名(マルウェアを含んだファイル)
from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle, BehaviorReference from maec.bundle.malware_action import MalwareAction from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference from cybox.core import Object, AssociatedObject, AssociatedObjects from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.objects.win_hook_object import WinHook from cybox.common import VocabString # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash( "B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False
def test_round_trip(self): o = Analysis() o2 = round_trip(o) self.assertEqual(o.to_dict(), o2.to_dict())
# Code for MAEC Static Analysis Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis, Source from cybox.core import Object from cybox.objects.win_executable_file_object import WinExecutableFile, PEHeaders, PEOptionalHeader from cybox.common import ToolInformation from maec.bundle.bundle import Bundle # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe" ms.malware_instance_object_attributes.properties.size_in_bytes = "196608" ms.malware_instance_object_attributes.properties.add_hash("4EC0027BEF4D7E1786A04D021FA8A67F") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "triage" a.summary = "A basic static triage of the subject binary using PEiD." a.set_findings_bundle(b.id_) a.source = Source() a.source.name = "Frankie Li" a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814" t = ToolInformation()
# Code for MAEC Static Analysis Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis, Source from cybox.core import Object from cybox.objects.win_executable_file_object import WinExecutableFile, PEHeaders, PEOptionalHeader from cybox.common import ToolInformation from maec.bundle.bundle import Bundle # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.file_name = "dg003_improve_8080_V132.exe" ms.malware_instance_object_attributes.properties.size_in_bytes = "196608" ms.malware_instance_object_attributes.properties.add_hash( "4EC0027BEF4D7E1786A04D021FA8A67F") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "triage" a.summary = "A basic static triage of the subject binary using PEiD." a.set_findings_bundle(b.id_) a.source = Source() a.source.name = "Frankie Li" a.source.url = "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814"
def vt_report_to_maec_package(vt_report_input, options = None): """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object.""" NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC") maec.utils.set_id_namespace(NS) package = Package() # if only one result, make it a list of one result if type(vt_report_input) != list: vt_report_list = [vt_report_input] else: vt_report_list = vt_report_input for idx, vt_report in enumerate(vt_report_list): # if VirusTotal has never seen this MD5 if vt_report["response_code"] == 0: sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n") sys.stderr.flush(); continue if vt_report["response_code"] == -1: sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " + vt_report.get("verbose_message", "no message provided") + "\n") sys.stderr.flush(); continue malware_subject = MalwareSubject() # create the file object and add hashes file_dict = {} file_dict['xsi:type'] = 'WindowsExecutableFileObjectType' file_dict['hashes'] = [ {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] }, {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] }, {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] } ] # set the object as the defined object object_dict = {} object_dict['id'] = maec.utils.idgen.create_id(prefix="object") object_dict['properties'] = file_dict # bind the object to the malware subject object malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict)) # create the analysis and add it to the subject analysis = Analysis() analysis.type_ = 'triage' analysis.method = 'static' analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T") analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"), 'vendor' : 'VirusTotal', 'name' : 'VirusTotal' })) malware_subject.add_analysis(analysis) bundle_obj = Bundle() for vendor, scan in vt_report["scans"].items(): if scan["result"] is not None: bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor })) # add bundle to subject, bundle to analysis, and subject to package malware_subject.add_findings_bundle(bundle_obj) analysis.set_findings_bundle(bundle_obj.id_) package.add_malware_subject(malware_subject) package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC" if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() return package
# Code for MAEC Analysis Metadata Idiom from maec.package.package import Package from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from cybox.core import Object from cybox.common import ToolInformation, VocabString from cybox.objects.win_executable_file_object import WinExecutableFile # Set up the necessary Package, Malware Subject, Analysis instances p = Package() ms = MalwareSubject() a1 = Analysis() a2 = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the PeID Analysis with its corresponding metadata a1.method = "static" a1.type_ = "triage" t1 = ToolInformation() t1.name = "PEiD" t1.version = "0.94" a1.add_tool(t1) # Populate the Anubis Analysis with its corresponding metadata a2.method = "dynamic" a2.type_ = "triage"
def test_id_autoset(self): o = Analysis() self.assertNotEqual(o.id_, None)
from maec.package.malware_subject import MalwareSubject from maec.package.analysis import Analysis from maec.bundle.bundle import Bundle, BehaviorReference from maec.bundle.malware_action import MalwareAction from maec.bundle.capability import Capability, CapabilityObjective, CapabilityList from maec.bundle.behavior import Behavior, BehavioralActions, BehavioralActionReference from cybox.core import Object, AssociatedObject, AssociatedObjects from cybox.objects.win_executable_file_object import WinExecutableFile from cybox.objects.win_hook_object import WinHook from cybox.common import VocabString # Set up the necessary Package, Malware Subject, Analysis Bundle Instances p = Package() ms = MalwareSubject() b = Bundle() a = Analysis() # Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "static" a.type_ = "in-depth" a.set_findings_bundle(b.id_) # Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings b.defined_subject = False b.content_type = "manual analysis output"