Package modules :: Package reporting :: Module maec40 :: Class MAEC40Report
[hide private]
[frames] | no frames]

Class MAEC40Report

source code

                        object --+    
                                 |    
lib.cuckoo.common.abstracts.Report --+
                                     |
                                    MAEC40Report

Generates a MAEC 4.0.1 report.
--Output modes (set in reporting.conf):
    mode = "full": Output fully mapped Actions (see maec40_mappings), including Windows Handle mapped/substituted objects,
                   along with API call/parameter capture via Action Implementations.
    mode = "overview": Output only fully mapped Actions, without any Action Implementations. Default mode.
    mode = "api": Output only Actions with Action Implementations, but no mapped components.
--Other configuration parameters:
    processtree = "true" | "false". Output captured ProcessTree as part of dynamic analysis MAEC Bundle. Default = "true".
    output_handles = "true" | "false". Output the Windows Handles used to  construct the Object-Handle mappings as a 
                                       separate Object Collection in the dynamic analysis MAEC Bundle. Only applicable 
                                       for mode = "full" or mode = "overview". Default = "false".
    static = "true" | "false". Output Cuckoo static analysis (PEfile) output as a separate MAEC Bundle in the document. 
                               Default = "true".
    strings = "true" | "false". Output Cuckoo strings output as a separate MAEC Bundle in the document. Default = "true".
    virustotal = "true" | "false". Output VirusTotal output as a separate MAEC Bundle in the document. Default = "true".

Instance Methods [hide private]
 
run(self, results)
Writes report.
source code
 
setupMAEC(self)
Generates MAEC Package, Malware Subject, and Bundle structure
source code
 
addActions(self)
Add Actions section.
source code
 
createActionNet(self, network_data, action_name, layer4_protocol=None, layer7_protocol=None)
Create a network Action.
source code
 
addProcessTree(self)
Creates the ProcessTree corresponding to that observed by Cuckoo.
source code
 
createProcessTreeNode(self, process)
Creates a single ProcessTreeNode corresponding to a single node in the tree observed cuckoo.
source code
 
apiCallToAction(self, call, pos)
Create and return a dictionary representing a MAEC Malware Action.
source code
 
processActionImplementation(self, call, parameter_list)
Creates a MAEC Action Implementation based on API call input.
source code
 
processActionArguments(self, parameter_mappings_dict, parameter_list)
Processes a dictionary of parameters that should be mapped to Action Arguments in the Malware Action.
source code
 
processActionAssociatedObjects(self, associated_objects_dict, parameter_list)
Processes a dictionary of parameters that should be mapped to Associated Objects in the Action
source code
 
processWinHandles(self, associated_objects_list)
Process any Windows Handles that may be associated with an Action.
source code
 
addHandleToMap(self, handle_dict, object_dict)
Add a new Handle/Object pairing to the Handle mappings dictionary.
source code
 
processRegKeys(self, associated_objects_list)
Process any Registry Key associated with an action.
source code
 
processRegKeyHandle(self, handle_id, current_dict)
Process a Registry Key Handle and return the full key, recursing as necessary.
source code
 
processAssociatedObject(self, parameter_mapping_dict, parameter_value, associated_object_dict=None)
Process a single Associated Object mapping.
source code
 
createNestedDict(self, list, value)
Helper function: returns a nested dictionary for an input list.
source code
 
getParameterValue(self, parameter_list, parameter_name)
Finds and returns an API call parameter value from a list.
source code
 
createProcessActions(self, process)
Creates the Actions corresponding to the API calls initiated by a process.
source code
 
mapActionStatus(self, status) source code
 
createWinExecFileObj(self)
Creates a Windows Executable File (PE) object for capturing static analysis output.
source code
 
createFileStringsObj(self)
Creates a File object for capturing strings output.
source code
 
createFileObj(self, file)
Creates a File object.
source code
 
addSubjectAttributes(self)
Add Malware Instance Object Attributes to the Malware Subject.
source code
 
addAnalyses(self)
Adds analysis header.
source code
 
addDroppedFiles(self)
Adds Dropped files as Objects.
source code
 
output(self)
Writes report to disk.
source code

Inherited from lib.cuckoo.common.abstracts.Report: __init__, set_options, set_path, set_task

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables [hide private]

Inherited from lib.cuckoo.common.abstracts.Report: order

Properties [hide private]

Inherited from object: __class__

Method Details [hide private]

run(self, results)

source code 

Writes report.

Parameters:
  • results - Cuckoo results dict.
Raises:
Overrides: lib.cuckoo.common.abstracts.Report.run

createActionNet(self, network_data, action_name, layer4_protocol=None, layer7_protocol=None)

source code 

Create a network Action.

Returns:
action.

createProcessTreeNode(self, process)

source code 

Creates a single ProcessTreeNode corresponding to a single node in the tree observed cuckoo.

Parameters:
  • process - process from cuckoo dict.

apiCallToAction(self, call, pos)

source code 

Create and return a dictionary representing a MAEC Malware Action.

Parameters:
  • call - the input API call.
  • pos - position of the Action with respect to the execution of the malware.

processActionImplementation(self, call, parameter_list)

source code 

Creates a MAEC Action Implementation based on API call input.

Parameters:
  • parameter_list - the input parameter list (from the API call).

processActionArguments(self, parameter_mappings_dict, parameter_list)

source code 

Processes a dictionary of parameters that should be mapped to Action Arguments in the Malware Action.

Parameters:
  • parameter_mappings_dict - the input parameter to Arguments mappings.
  • parameter_list - the input parameter list (from the API call).

processActionAssociatedObjects(self, associated_objects_dict, parameter_list)

source code 

Processes a dictionary of parameters that should be mapped to Associated Objects in the Action

Parameters:
  • associated_objects_dict - the input parameter to Associated_Objects mappings.
  • parameter_list - the input parameter list (from the API call).

processWinHandles(self, associated_objects_list)

source code 

Process any Windows Handles that may be associated with an Action. Replace Handle references with actual Object, if possible.

Parameters:
  • associated_objects_list - the list of associated_objects processed for the Action.

addHandleToMap(self, handle_dict, object_dict)

source code 

Add a new Handle/Object pairing to the Handle mappings dictionary.

Parameters:
  • handle_dict - the dictionary of the Handle to which the object is mapped.
  • object_dict - the dictionary of the object mapped to the Handle. return: the substituted object dictionary

processRegKeys(self, associated_objects_list)

source code 

Process any Registry Key associated with an action. Special case to handle registry Hives that may refer to Handles.

Parameters:
  • associated_objects_list - the list of associated_objects processed for the Action.

processRegKeyHandle(self, handle_id, current_dict)

source code 

Process a Registry Key Handle and return the full key, recursing as necessary.

Parameters:
  • handle_id - the id of the root-level handle
  • current_dict - the dictionary containing the properties of the current key

processAssociatedObject(self, parameter_mapping_dict, parameter_value, associated_object_dict=None)

source code 

Process a single Associated Object mapping.

Parameters:
  • parameter_mapping_dict - input parameter to Associated Object mapping dictionary.
  • parameter_value - the input parameter value (from the API call).
  • associated_object_dict - optional associated object dict, for special cases.

createNestedDict(self, list, value)

source code 

Helper function: returns a nested dictionary for an input list.

Parameters:
  • list - input list.
  • value - value to set the last embedded dictionary item to.

getParameterValue(self, parameter_list, parameter_name)

source code 

Finds and returns an API call parameter value from a list.

Parameters:
  • parameter_list - list of API call parameters.
  • parameter_name - name of parameter to return value for.

createProcessActions(self, process)

source code 

Creates the Actions corresponding to the API calls initiated by a process.

Parameters:
  • process - process from cuckoo dict.

createFileObj(self, file)

source code 

Creates a File object.

Parameters:
  • file - file dict from Cuckoo dict.

Requires: file object.