"B6C39FF68346DCC8B67AA060DEFE40C2")
ms.malware_instance_object_attributes.properties.add_hash(
"D55B0FB96FAD96D203D10850469489FC03E6F2F7")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "ThreatExpert"
t.vendor = "ThreatExpert"
a.add_tool(t)
# Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings
b.defined_subject = False
b.content_type = "dynamic analysis tool output"
# Create the first, create file action
act1 = MalwareAction()
act1.name = "create file"
act1.name.xsi_type = "FileActionNameVocab-1.1"
act1.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinExecutableFile()
o1.properties.file_name = "Zcxaxz.exe"
o1.properties.size_in_bytes = "332288"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act1.associated_objects.append(o1)
ms.malware_instance_object_attributes.properties.size_in_bytes = "251904"
ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221")
ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "dynamic"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
t = ToolInformation()
t.name = "Anubis"
t.vendor = "ISECLab"
a.add_tool(t)
# Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings
b.defined_subject = False
b.content_type = "dynamic analysis tool output"
# Create the create file action initiated by the root process
act1 = MalwareAction()
act1.name = "create file"
act1.name.xsi_type = "FileActionNameVocab-1.1"
act1.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinExecutableFile()
o1.properties.file_name = "Zcxaxz.exe"
o1.properties.size_in_bytes = "332288"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act1.associated_objects.append(o1)
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash(
"B6C39FF68346DCC8B67AA060DEFE40C2")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
b.defined_subject = False
b.content_type = "manual analysis output"
# Create the add windows hook action
act = MalwareAction()
act.name = "add windows hook"
act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0"
act.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinHook()
o1.properties.type_ = "WH_KEYBOARD_LL"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act.associated_objects.append(o1)
# Create the behavior
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.add_hash("076e5b2bae0b4b3a3d81c85610b95cd4")
ms.malware_instance_object_attributes.properties.add_hash("4484e08903744ceeaedd8f5e1bfc06b2c4688e76")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "triage"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle
b.defined_subject = False
b.content_type = "static analysis tool output"
# Create the AV Classifications
av1 = AVClassification()
av1.name = "Microsoft"
av1.classification_name = "PWS:Win32/Zbot.gen!B"
av2 = AVClassification()
av2.name = "Symantec"
av2.classification_name = "Backdoor.Paproxy"
av3 = AVClassification()
av3.name = "TrendMicro"
av3.classification_name = "TSPY_ZBOT.TD"
# Add the AV classifications to the Bundle
b.add_av_classification(av1)
b.add_av_classification(av2)
a = Analysis()
# Set the Malware_Instance_Object_Attributes on the Malware Subject
ms.malware_instance_object_attributes = Object()
ms.malware_instance_object_attributes.properties = WinExecutableFile()
ms.malware_instance_object_attributes.properties.size_in_bytes = "210564"
ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2")
# Populate the Analysis with the metadata relating to the Analysis that was performed
a.method = "static"
a.type_ = "in-depth"
a.set_findings_bundle(b.id_)
# Set the requisite attributes on the Bundle and populate it with the In-depth Analysis findings
b.defined_subject = False
b.content_type = "manual analysis output"
# Create the add windows hook action
act = MalwareAction()
act.name = "add windows hook"
act.name.xsi_type = "maecVocabs:HookingActionNameVocab-1.0"
act.associated_objects = AssociatedObjects()
o1 = AssociatedObject()
o1.properties = WinHook()
o1.properties.type_ = "WH_KEYBOARD_LL"
o1.association_type = VocabString()
o1.association_type.value = "output"
o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0"
act.associated_objects.append(o1)
# Create the behavior
