def generate_malware_subjects(self): entry_dict = self.pefile_parser.entry_dict malware_subject = MalwareSubject() entry_dict['id'] = malware_subject static_bundle = Bundle(None, False, '4.1', 'static analysis tool output') self.populate(entry_dict, static_bundle, malware_subject) malware_subject.add_analysis(self.generate_analysis(static_bundle)) if self.bundle_has_content(static_bundle): malware_subject.add_findings_bundle(static_bundle) self.package.add_malware_subject(malware_subject)
def generate_malware_subjects(self): entry_dict = self.pefile_parser.entry_dict malware_subject = MalwareSubject() entry_dict['id'] = malware_subject static_bundle = Bundle(None, False, '4.1', 'static analysis tool output') self.populate(entry_dict, static_bundle, malware_subject) malware_subject.add_analysis(self.generate_analysis(static_bundle)) if self.bundle_has_content(static_bundle): malware_subject.add_findings_bundle(static_bundle) self.package.add_malware_subject(malware_subject)
o1.properties = WinExecutableFile() o1.properties.file_name = "Zcxaxz.exe" o1.properties.size_in_bytes = "332288" o1.association_type = VocabString() o1.association_type.value = "output" o1.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act1.associated_objects.append(o1) # Create the second, create mutex action act2 = MalwareAction() act2.name = "create mutex" act2.name.xsi_type = "SynchronizationActionNameVocab-1.0" act2.associated_objects = AssociatedObjects() o2 = AssociatedObject() o2.properties = WinMutex() o2.properties.name = "redem-Mutex" o2.association_type = VocabString() o2.association_type.value = "output" o2.association_type.xsi_type = "maecVocabs:ActionObjectAssociationTypeVocab-1.0" act2.associated_objects.append(o2) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.add_action(act2) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
act1.associated_objects.append(o1) # Create the Process Tree p_tree = ProcessTree() # Create the root process root_p = ProcessTreeNode() root_p.name = "first_process.exe" root_p.add_initiated_action(act1.id_) # Create the spawned process spawned_p = ProcessTreeNode() spawned_p.name = "malproc.exe" # Add the spawned process to the root process root_p.add_spawned_process(spawned_p) # Set the root process in the process_tree p_tree.set_root_process(root_p) # Build up the full Package/Malware Subject/Analysis/Bundle hierarchy p.add_malware_subject(ms) b.add_action(act1) b.set_process_tree(p_tree) ms.add_analysis(a) ms.add_findings_bundle(b) # Output the built up Package to XML print p.to_xml()
p_node.pid = 3408 p_node.name = "word.exe" #プロセスの設定 P2 = ProcessTreeNode() P2.pid = 3768 P2.parent_pid = 3408 P2.name = "SenPen.exe" p_node.add_spawned_process(P2) #ProcessTreeの設定 p_tree = ProcessTree() p_tree.set_root_process(p_node) #Check #p_tree.to_xml_file('ProcessTree.xml', {"http://LIFT-S.com/":"LIFT-S"}) # パッケージへMalwareSubjectを追加 package.add_malware_subject(subject) # バンドルへActionを追加 bundle.add_action(act1) bundle.set_process_tree(p_tree) # Add the Bundle to the Malware Subject # Malware Subjectへバンドルを追加 subject.add_findings_bundle(bundle) subject.add_analysis(analysis) # Export the Package Bindings Object to an XML file and use the namespaceparser for writing out the namespace definitions package.to_xml_file('MalAnalyze_seminor.xml', {"http://LIFT-S.com/":"LIFT-S"}) print "Wrote to sample_maec_package.xml"
def vt_report_to_maec_package(vt_report_input, options = None): """Accept a VirusTotal report (as a Python structure) and return a corresponding MAEC Package API object.""" NS = Namespace("https://github.com/MAECProject/vt-to-maec", "VirusTotalToMAEC") maec.utils.set_id_namespace(NS) package = Package() # if only one result, make it a list of one result if type(vt_report_input) != list: vt_report_list = [vt_report_input] else: vt_report_list = vt_report_input for idx, vt_report in enumerate(vt_report_list): # if VirusTotal has never seen this MD5 if vt_report["response_code"] == 0: sys.stderr.write("WARNING: Skipping file #" + str(idx+1) + " (" + vt_report["resource"] + "); this MD5 is unknown to VirusTotal\n") sys.stderr.flush(); continue if vt_report["response_code"] == -1: sys.stderr.write("WARNING: VirusTotal had an unexpected error on file #" + str(idx+1) + " (" + vt_report["resource"] + "): " + vt_report.get("verbose_message", "no message provided") + "\n") sys.stderr.flush(); continue malware_subject = MalwareSubject() # create the file object and add hashes file_dict = {} file_dict['xsi:type'] = 'WindowsExecutableFileObjectType' file_dict['hashes'] = [ {'type' : 'MD5', 'simple_hash_value': vt_report["md5"] }, {'type' : 'SHA1', 'simple_hash_value': vt_report["sha1"] }, {'type' : 'SHA256', 'simple_hash_value': vt_report["sha256"] } ] # set the object as the defined object object_dict = {} object_dict['id'] = maec.utils.idgen.create_id(prefix="object") object_dict['properties'] = file_dict # bind the object to the malware subject object malware_subject.set_malware_instance_object_attributes(Object.from_dict(object_dict)) # create the analysis and add it to the subject analysis = Analysis() analysis.type_ = 'triage' analysis.method = 'static' analysis.complete_datetime = vt_report["scan_date"].replace(" ", "T") analysis.add_tool(ToolInformation.from_dict({'id' : maec.utils.idgen.create_id(prefix="tool"), 'vendor' : 'VirusTotal', 'name' : 'VirusTotal' })) malware_subject.add_analysis(analysis) bundle_obj = Bundle() for vendor, scan in vt_report["scans"].items(): if scan["result"] is not None: bundle_obj.add_av_classification(AVClassification.from_dict({ 'classification_name' : scan["result"], 'vendor' : vendor })) # add bundle to subject, bundle to analysis, and subject to package malware_subject.add_findings_bundle(bundle_obj) analysis.set_findings_bundle(bundle_obj.id_) package.add_malware_subject(malware_subject) package.__input_namespaces__["https://github.com/MAECProject/vt-to-maec"] = "VirusTotalToMAEC" if options: if options.normalize_bundles: malware_subject.normalize_bundles() if options.deduplicate_bundles: malware_subject.deduplicate_bundles() if options.dereference_bundles: malware_subject.dereference_bundles() return package
# Set the Malware_Instance_Object_Attributes on the Malware Subject ms.malware_instance_object_attributes = Object() ms.malware_instance_object_attributes.properties = WinExecutableFile() ms.malware_instance_object_attributes.properties.size_in_bytes = "210564" ms.malware_instance_object_attributes.properties.add_hash("B6C39FF68346DCC8B67AA060DEFE40C2") # Populate the PeID Analysis with its corresponding metadata a1.method = "static" a1.type_ = "triage" t1 = ToolInformation() t1.name = "PEiD" t1.version = "0.94" a1.add_tool(t1) # Populate the Anubis Analysis with its corresponding metadata a2.method = "dynamic" a2.type_ = "triage" t2 = ToolInformation() t2.name = "Anubis" t2.version = "1.68.0" a2.add_tool(t2) # Build up the full Package/Malware Subject/Analysis hierarchy p.add_malware_subject(ms) ms.add_analysis(a1) ms.add_analysis(a2) # Output the built up Package to XML print p.to_xml()