Malware Characterization using MAEC

Malware Icon

Analyzing malware behavior is an important part of any threat intelligence organization’s job. The results of this analysis whether from automated tools (static or dynamic) or from manual human analysis can be captured into a structured format called MAEC. MAEC is a language similar to STIX that is used to describe malware behavior from the very low technical level up to the more abstract contextual levels of behaviors and capabilities. When representing threat intelligence in STIX, it can occasionally be useful to include a full representation of the malware behavior using MAEC in order to share it with other parties or relate its behavior to other pieces of intelligence in STIX.

For more information, see the whitepaper the STIX and MAEC teams developed on characterizing malware across MAEC and STIX.

Scenario

In this scenario, the STIX describes a particular variant of Poison Ivy by giving it a name, a type, and a full characterization in MAEC.

Data model

Malware characterization in MAEC

The portion of the TTP data model that is used to represent malware is MalwareInstanceType, which is represented as a list of Malware Instance fields inside the TTP BehaviorType structure.

MalwareInstanceType is a STIX extension point that can either be used as-is to represent basic information (name, type) about malware or can be extended to represent full malware expressions. The STIX default extension is the MAEC4.1InstanceType extension that uses MAEC to characterize the malware.

Implementation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<stix:TTP xsi:type="ttp:TTPType" id="example:ttp-7d9fe1f7-429d-077e-db51-92c70b8da45a">
    <ttp:Title>Poison Ivy Variant v4392-acc</ttp:Title>
    <ttp:Behavior>
        <ttp:Malware>
            <ttp:Malware_Instance xsi:type="stix-maec:MAEC4.1InstanceType">
                <ttp:Type xsi:type="stixVocabs:MalwareTypeVocab-1.0">Remote Access Trojan</ttp:Type>
                <ttp:Name>Poison Ivy Variant v4392-acc</ttp:Name>
                <stix-maec:MAEC>
                    <!-- MAEC Content Here -->
                </stix-maec:MAEC>                        
            </ttp:Malware_Instance>
        </ttp:Malware>
    </ttp:Behavior>
</stix:TTP>
1
2
3
4
5
6
7
8
9
10
maec_malware_instance = MAECInstance()
maec_malware_instance.add_name("Poison Ivy Variant v4392-acc")
maec_malware_instance.add_type("Remote Access Trojan")
maec_malware_instance.maec = __INSERT_MAEC_ETREE_HERE__

ttp = TTP(title="Poison Ivy Variant v4392-acc")
ttp.behavior = Behavior()
ttp.behavior.add_malware_instance(maec_malware_instance)

print(ttp.to_xml(encoding=None))
1
2
3
4
5
6
7
8
9
print("== TTP ==")
for tactic in pkg.ttps:
    print("---")
    print("Title: " + tactic.title)
    for sample in tactic.behavior.malware_instances:
        print("Malware: " + str(sample.names[0]))
        print("Type: " + str(sample.types[0]))
        if sample.maec:
            print("Contains embedded MAEC content")
Full XML Python Producer Python Consumer

Further Reading

An example of using this type of structure in another context is found in the malware hash idiom. The simple representation described there could be replaced with a full MAEC characterization as described here.