Пример #1
0
 def generate_malware_subjects(self):
     entry_dict = self.pefile_parser.entry_dict
     malware_subject = MalwareSubject()
     entry_dict['id'] = malware_subject
     static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
     self.populate(entry_dict, static_bundle, malware_subject)
     malware_subject.add_analysis(self.generate_analysis(static_bundle))
     if self.bundle_has_content(static_bundle):
         malware_subject.add_findings_bundle(static_bundle)
     self.package.add_malware_subject(malware_subject)
Пример #2
0
 def generate_malware_subjects(self):
     entry_dict = self.pefile_parser.entry_dict
     malware_subject = MalwareSubject()
     entry_dict['id'] = malware_subject
     static_bundle = Bundle(None, False, '4.1', 'static analysis tool output')
     self.populate(entry_dict, static_bundle, malware_subject)
     malware_subject.add_analysis(self.generate_analysis(static_bundle))
     if self.bundle_has_content(static_bundle):
         malware_subject.add_findings_bundle(static_bundle)
     self.package.add_malware_subject(malware_subject)
o1.properties = WinExecutableFile()
o1.properties.file_name = "Zcxaxz.exe"
o1.properties.size_in_bytes = "332288"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act1.associated_objects.append(o1)

# Create the second, create mutex action
act2 = MalwareAction()
act2.name = "create mutex"
act2.name.xsi_type = "SynchronizationActionNameVocab-1.0"
act2.associated_objects = AssociatedObjects()
o2 = AssociatedObject()
o2.properties = WinMutex()
o2.properties.name = "redem-Mutex"
o2.association_type = VocabString()
o2.association_type.value = "output"
o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act2.associated_objects.append(o2)

# Build up the full Package/Malware Subject/Analysis/Bundle hierarchy
p.add_malware_subject(ms)
b.add_action(act1)
b.add_action(act2)
ms.add_analysis(a)
ms.add_findings_bundle(b)

# Output the built up Package to XML
print p.to_xml()
act1.associated_objects.append(o1)

# Create the Process Tree
p_tree = ProcessTree()

# Create the root process
root_p = ProcessTreeNode()
root_p.name = "first_process.exe"
root_p.add_initiated_action(act1.id_)

# Create the spawned process
spawned_p = ProcessTreeNode()
spawned_p.name = "malproc.exe"

# Add the spawned process to the root process
root_p.add_spawned_process(spawned_p)

# Set the root process in the process_tree
p_tree.set_root_process(root_p)

# Build up the full Package/Malware Subject/Analysis/Bundle hierarchy
p.add_malware_subject(ms)
b.add_action(act1)
b.set_process_tree(p_tree)
ms.add_analysis(a)
ms.add_findings_bundle(b)

# Output the built up Package to XML
print p.to_xml()

Пример #5
0
p_node.pid = 3408
p_node.name = "word.exe"

#プロセスの設定
P2 = ProcessTreeNode()
P2.pid = 3768
P2.parent_pid = 3408
P2.name = "SenPen.exe"

p_node.add_spawned_process(P2)

#ProcessTreeの設定
p_tree = ProcessTree()
p_tree.set_root_process(p_node)
#Check
#p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"})

# パッケージへMalwareSubjectを追加
package.add_malware_subject(subject)
# バンドルへActionを追加
bundle.add_action(act1)
bundle.set_process_tree(p_tree)
# Add the Bundle to the Malware Subject
# Malware Subjectへバンドルを追加
subject.add_findings_bundle(bundle)
subject.add_analysis(analysis)

# Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions
package.to_xml_file('MalAnalyze_seminor.xml', {"http://LIFT-S.com/":"LIFT-S"})
print "Wrote to sample_maec_package.xml"
def vt_report_to_maec_package(vt_report_input, options = None):
    """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object."""
    NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC")
    maec.utils.set_id_namespace(NS)
    
    package = Package()

    # if only one result, make it a list of one result
    if type(vt_report_input) != list:
        vt_report_list = [vt_report_input]
    else:
        vt_report_list = vt_report_input

    for idx, vt_report in enumerate(vt_report_list):
        # if VirusTotal has never seen this MD5
        if vt_report["response_code"] == 0:
            sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n")
            sys.stderr.flush();
            continue
        if vt_report["response_code"] == -1:
            sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " +
                             vt_report.get("verbose_message", "no message provided") + "\n")
            sys.stderr.flush();
            continue
        
        malware_subject = MalwareSubject()
        
        # create the file object and add hashes
        file_dict = {}
        file_dict['xsi:type'] = 'WindowsExecutableFileObjectType'
        file_dict['hashes'] = [
            {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] },
            {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] },
            {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] }
        ]
        
        # set the object as the defined object
        object_dict = {}
        object_dict['id'] = maec.utils.idgen.create_id(prefix="object")
        object_dict['properties'] = file_dict
        
        # bind the object to the malware subject object
        malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict))
        
        # create the analysis and add it to the subject
        analysis = Analysis()
        analysis.type_ = 'triage'
        analysis.method = 'static'
        analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T")
        analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"),
                           'vendor' : 'VirusTotal',
                           'name' : 'VirusTotal' }))
        malware_subject.add_analysis(analysis)
        
        bundle_obj = Bundle()
        
        for vendor, scan in vt_report["scans"].items():
            if scan["result"] is not None:
                bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor }))
        
        # add bundle to subject, bundle to analysis, and subject to package
        malware_subject.add_findings_bundle(bundle_obj)
        analysis.set_findings_bundle(bundle_obj.id_)
        package.add_malware_subject(malware_subject)
        
        package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC"
        
        if options:
            if options.normalize_bundles:
                malware_subject.normalize_bundles()
            if options.deduplicate_bundles:
                malware_subject.deduplicate_bundles()
            if options.dereference_bundles:
                malware_subject.dereference_bundles()
        
    return package
Пример #7
0
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2")

# Populate the PeID Analysis with its corresponding metadata
a1.method = "static"
a1.type_ = "triage"
t1 = ToolInformation()
t1.name = "PEiD"
t1.version = "0.94"
a1.add_tool(t1)

# Populate the Anubis Analysis with its corresponding metadata
a2.method = "dynamic"
a2.type_ = "triage"
t2 = ToolInformation()
t2.name = "Anubis"
t2.version = "1.68.0"
a2.add_tool(t2)

# Build up the full Package/Malware Subject/Analysis hierarchy
p.add_malware_subject(ms)
ms.add_analysis(a1)
ms.add_analysis(a2)

# Output the built up Package to XML
print p.to_xml()