Capturing Related Malware

This Idiom describes describes the process of characterizing multiple malware instances and the relationships between them, which can be useful for capturing multi-partite malware or malware that belongs to the same family, for instance.

Scenario

In this scenario, we execute a particular malware instance m1 and observe that it functions as dropper; in turn, the malware instance that it drops, m2, functions as a downloader and downloads two additional malware instances m3 and m4. Thus, we wish to capture the identities of these malware instances along with the relationships between them.

Data model

The following are the important MAEC data model constructs used in this idiom:

Process

As with many of the other Idioms, the first step is to create a MAEC Package with a Malware Subject for each of the malware instances that are being captured. Thus, we would create a Malware Subject for each of the four malware instances (m1, m2, m3, and m4) that were observed. The information on this process is not covered in this idiom, but can be found in the corresponding Creating a MAEC Package idiom.

Malware Subject –> Malware Subject Relationships

With each of the Malware Subjects created, the next step is to capture the relationships between them. Let’s start with the relationship between the first malware instance (m1) and the instance that it drops (m2):

  1. The first step in this process is to look in MAEC’s vocabularies and find the relationship that captures the fact that m1 drops m2, and also its inverse, due to the fact that relationships are defined separately on each Malware Subject. Thus, looking at the Malware Subject Relationship Vocabulary, we see that it contains the entries of drops and also its inverse, dropped by, which correspond to the exact relationships that we wish to capture.
  2. With the particular relationship values defined, the next step is to define the construct that captures them in their respective Malware Subjects. Thus, we first need to add a relationship to m1 for describing the fact that it drops m2. This is done by adding the Relationships list-type field to the Malware Subject that characterizes m1. Inside of this Relationships field, we’ll add a single Relationship entry for capturing the relationship itself.
  3. With the Relationship entry added, there are two fields inside of it that we need to populate: Type and Malware_Subject_Reference. The Type field simply captures the nature of the relationship that we’re conveying, so we’ll set it to a value of drops and set its xsi:type attribute to a value of MalwareSubjectRelationshipTypeVocab-1.1 to indicate that we’re using the Malware Subject Relationship Vocabulary. Finally, we’ll set the @malware_subject_idref attribute in the Malware_Subject_Reference field to the ID of the Malware Subject that the relationship points to, so in this case the ID of the Malware Subject that characterizes m2.
  4. Now that we’ve added the relationship for capturing the “drops” relationship between m1 and m2 (i.e., m1 -> m2), we need to add the inverse dropped by relationship (i.e., m2 -> m1) to m2. This can be accomplished by repeating steps 2-3 for m2 and the relationship value of dropped by.

Adding the relationships between m2 and m3 as well as m2 and m4 can be accomplished in much the same manner. In these cases, the only difference besides the different Malware Subjects that the relationships will be added to is that the relationship value and its inverse will be downloads and downloaded by, respectively.

Grouping Relationships

Besides directional relationships between individual Malware Subjects, MAEC also supports capturing a more general, grouping relationship that relates all of the Malware Subjects in a Package. This can be achieved via use of the Grouping_Relationships field on the Package, which is a list type that can capture multiple Grouping Relationship entities. Each Grouping Relationship includes a Type field for capturing the nature of the grouping relationship, along with other fields for capturing details of specific types of grouping relationships.

In the case of this example scenario, we can use a grouping relationship to describe the broader relationship between the malware instances that we’re characterizing. Specifically, since these malware instances were all seen together during the analysis, we can use the observed together relationship from the Grouping Relationship Vocabulary to state this fact. Thus, we’ll add a Grouping Relationship instance to the Grouping_Relationships field at the root level of the Package. Inside this instance, the Type field captures the nature of the grouping relationship that we’re conveying, so we’ll set it to a value of observed together and set its xsi:type attribute to a value of GroupingRelationshipTypeVocab-1.0 to indicate that we’re using the Malware Grouping Relationship Vocabulary.

XML

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<maecPackage:Malware_Subject id="example:malware_subject-320e597e-3c62-48da-9fd5-e6bd0c47a094">
  <maecPackage:Malware_Instance_Object_Attributes>
    <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
      <FileObj:File_Name>dg003_improve_8080_V132.exe</FileObj:File_Name>
      <FileObj:Size_In_Bytes>196608</FileObj:Size_In_Bytes>
      <FileObj:Hashes>
        <cyboxCommon:Hash>
          <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
          <cyboxCommon:Simple_Hash_Value>4EC0027BEF4D7E1786A04D021FA8A67F</cyboxCommon:Simple_Hash_Value>
        </cyboxCommon:Hash>
      </FileObj:Hashes>
    </cybox:Properties>
  </maecPackage:Malware_Instance_Object_Attributes>
   
  <maecPackage:Relationships>
    <maecPackage:Relationship>
      <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">drops</maecPackage:Type>
      <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-75ebd4ad-dd94-4e67-8fdb-8f1630d736ec"/>
    </maecPackage:Relationship>
  </maecPackage:Relationships>
</maecPackage:Malware_Subject>

Full XML

Python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Add the relationships between the Malware Subjects
# Add the ms1 -> ms2 "drops" relationship
ms1.relationships = MalwareSubjectRelationshipList()
ms1_ms2_rel = MalwareSubjectRelationship()
ms1_ms2_rel.type_ = VocabString()
ms1_ms2_rel.type_.value = "drops"
ms1_ms2_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0"
ms1_ms2_rel.malware_subject_reference = [MalwareSubjectReference()]
ms1_ms2_rel.malware_subject_reference[0].malware_subject_idref = ms2.id_
ms1.relationships.append(ms1_ms2_rel)
# Add the ms2 -> ms1 "dropped by" relationship
ms2.relationships = MalwareSubjectRelationshipList()
ms2_ms1_rel = MalwareSubjectRelationship()
ms2_ms1_rel.type_ = VocabString()
ms2_ms1_rel.type_.value = "dropped by"
ms2_ms1_rel.type_.xsi_type = "maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0"
ms2_ms1_rel.malware_subject_reference = [MalwareSubjectReference()]
ms2_ms1_rel.malware_subject_reference[0].malware_subject_idref = ms1.id_
ms2.relationships.append(ms2_ms1_rel)

Full Python

Further Reading