This Idiom describes the process of capturing results of in-depth malware analysis, such as that which characterizes the capabilities or behaviors exhibited by the malware.
In this scenario, a malicious PE binary has been manually analyzed through the use of a disassembler tool. As part of this analysis, it has been discovered that the malware instance contains a keylogging capability, as well as a Windows-hook based behavior that functions as the implementation of this capability.
The following are the important MAEC data model constructs used in this idiom:
As with many of the other Idioms, the first step is to create a MAEC Package with a Malware Subject for capturing the information about the malware instance being analyzed. We should also add an Analysis entity to the Malware Subject to capture some details relating the particular analysis that we’re performing. The information on this process is not covered in this idiom, but can be found in the corresponding Creating a MAEC Package and Capturing Analysis Metadata idioms.
Next, a MAEC Bundle is created. Once created, we must set the content_type attribute on the Bundle to define the type of content that it is characterizing. In this case, since we’re capturing the output of manual analysis that was performed on the binary, we should set it to a value of
manual analysis output. This is one of the values contained in the BundleContentTypeEnum enumeration used by this field. Finally, we should set the defined_subject attribute on the Bundle to a value of
false, since this Bundle will be contained in a Malware Subject, which has already defined the particular malware instance being characterized.
Now that we’ve set up the Bundle that will capture the higher-level analysis results, we can begin to populate it with these results. Since we’re capturing a malware capability and behavior in our example scenario, we’ll use the corresponding MAEC Capability and Behavior entities. First, let’s discuss the steps involved in capturing the Windows-hook based behavior that serves as the implementation of the keylogging capability:
Next, let’s explore the steps involved in capturing the keylogging capability; as seen below, this is quite similar to the steps for capturing the details of the behavior:
MalwareCapabilityEnum-1.0enumeration that captures a set of high-level malware capabilities such as persistence, command and control, etc. As of MAEC v4.1, we’ve defined an initial set of these capabilities, along with their children that we refer to as “objectives” (see the full hierarchy here). In this case, keylogging refers to an objective that falls under the spying capability, so we would set the name attribute to a value of
capture keyboard input, and accordingly we’ll need to set the xsi:type attribute on this field to a value of
SpyingTacticalObjectivesVocab-1.0, since it is found in the Spying Tactical Objectives Vocabulary.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <maecBundle:Capabilities> <maecBundle:Capability id="example:capability-dc4a7c3a-4c54-45f5-8110-7e4fcee3b462" name="spying"> <maecBundle:Tactical_Objective id="example:tactical_objective-065bee75-5e43-4c66-918a-57eba1dab08c"> <maecBundle:Name xsi:type="maecVocabs:SpyingTacticalObjectivesVocab-1.0">capture keyboard input</maecBundle:Name> <maecBundle:Behavior_Reference behavior_idref="example:behavior-cfb4d731-c6e2-4c8e-808d-111e1ba66962"/> </maecBundle:Tactical_Objective> </maecBundle:Capability> </maecBundle:Capabilities> <maecBundle:Behaviors> <maecBundle:Behavior id="example:behavior-cfb4d731-c6e2-4c8e-808d-111e1ba66962"> <maecBundle:Action_Composition> <maecBundle:Action_Reference action_id="example:action-a48e58bb-f35d-4bf6-bb16-0e74061ac47e"/> </maecBundle:Action_Composition> </maecBundle:Behavior> </maecBundle:Behaviors>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # Create the behavior bhv = Behavior() bhv.action_composition = BehavioralActions() bhv.action_composition.action_reference = [BehavioralActionReference()] bhv.action_composition.action_reference.action_id = act.id_ # Create the capability cap = Capability() cap.name = "spying" obj = CapabilityObjective() obj.name = VocabString() obj.name.value = "capture keyboard input" obj.name.xsi_type = "maecVocabs:SpyingTacticalObjectivesVocab-1.0" obj.behavior_reference = [BehaviorReference()] obj.behavior_reference.behavior_idref = bhv.id_ cap.add_tactical_objective(obj)