ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "251904" ms.malware_instance_object_attributes.properties.add_hash("5247001dafe411802b1a40e763d9a221") ms.malware_instance_object_attributes.properties.add_hash("7ff89166e226845e9fc52cb711eb5b37d004a0e5") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "Anubis" t.vendor = "ISECLab" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the create file action initiated by the root process act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1)
ms.malware_instance_object_attributes.properties.add_hash( "B6C39FF68346DCC8B67AA060DEFE40C2") ms.malware_instance_object_attributes.properties.add_hash( "D55B0FB96FAD96D203D10850469489FC03E6F2F7") # Populate the Analysis with the metadata relating to the Analysis that was performed a.method = "dynamic" a.type_ = "triage" a.set_findings_bundle(b.id_) t = ToolInformation() t.name = "ThreatExpert" t.vendor = "ThreatExpert" a.add_tool(t) # Set the requisite attributes on the Bundle and populate it with the Dynamic Analysis findings b.defined_subject = False b.content_type = "dynamic analysis tool output" # Create the first, create file action act1 = MalwareAction() act1.name = "create file" act1.name.xsi_type = "FileActionNameVocab-1.1" act1.associated_objects = AssociatedObjects() o1 = AssociatedObject() o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1)
# Code for MAEC Basic Bundle Idiom from maec.bundle.bundle import Bundle from cybox.core import Object from cybox.objects.pdf_file_object import PDFFile # Instantiate the Bundle and populate its required attributes # The ID generation is handled automatically by python-maec b = Bundle() b.defined_subject = "True" # Populate the Malware_Instance_Object_Attributes of the Bundle with the properties of the PDF file b.malware_instance_object_attributes = Object() b.malware_instance_object_attributes.properties = PDFFile() b.malware_instance_object_attributes.properties.file_name = "User_Manual.pdf" b.malware_instance_object_attributes.properties.size_in_bytes = "509328" b.malware_instance_object_attributes.properties.version = "1.6" print b.to_xml()