This software allows for the conversion, extraction, and transformation of malware behavior data from "Malware Configuration And Payload Extraction" (CAPEv2) sandbox reports, to Structured Threat Information eXpression (STIX). This allows for further analysis to be performed, sharing of threat data, and transit to a graph database.
License: BSD 3-Clause "New" or "Revised" License
WARNING: The script pkginfo is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script dulwich is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script doesitcache is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script virtualenv is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script keyring is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script pyproject-build is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script jsonschema is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
WARNING: The script poetry is installed in '/home/jack/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed attrs-23.1.0 build-0.10.0 cachecontrol-0.12.14 cleo-2.0.1 crashtest-0.4.1 distlib-0.3.7 dulwich-0.21.5 filelock-3.12.2 html5lib-1.1 importlib-metadata-6.8.0 installer-0.7.0 jaraco.classes-3.3.0 jsonschema-4.19.0 jsonschema-specifications-2023.7.1 keyring-23.13.1 lockfile-0.12.2 msgpack-1.0.5 packaging-23.1 pkginfo-1.9.6 platformdirs-3.10.0 poetry-1.5.1 poetry-core-1.6.1 poetry-plugin-export-1.4.0 pyproject-hooks-1.0.0 rapidfuzz-2.15.1 referencing-0.30.2 requests-toolbelt-1.0.0 rpds-py-0.9.2 shellingham-1.5.0.post1 tomli-2.0.1 tomlkit-0.12.1 trove-classifiers-2023.8.7 virtualenv-20.24.3 webencodings-0.5.1
usermod: group 'qemu' does not exist
"./packer_templates": stat ./packer_templates: no such file or directory
Please reboot after this
Might need to remove this as it's nothing more difficult than a single query match, but file hashes are a common observable that is used in threat intelligence. I do not believe there is a way to compare file hashes for similarity within Neo4J. In fact I believe similarity comparison for file hashes they would have to be of a certain type (not MD5). @RCooley might be able to give insight.Summary - Answering this question would tell us if this binary is considered ransomware.
Query -
Picture of Graph -
Picture of Table -
Might need to remove this as it's nothing more difficult than a single query match, but file hashes are a common observable that is used in threat intelligence. I do not believe there is a way to compare file hashes for similarity within Neo4J. In fact I believe similarity comparison for file hashes they would have to be of a certain type (not MD5). @Rcooley might be able to give insight.
MITRE deprecated some Techniques, so they no longer exist in the STIX we're pulling from, however CAPEv2 still recongnizes them, we may need to auto-adjust those T####'s to a valid replacement.
If tlsh hash is not in cape report, tlsh key needs to be removed from the dictionary of hashes
[ ] - Files dropped by malware should be in a different category than reads/writes/deletes.
[ ] - System calls aren't terribly important. We would want to encapsulate them inside a dictionary. However, if we get dictionaries that are megs big, we wouldn't want them
ERROR:root:'target'
Traceback (most recent call last):
cape2stix/cape2stix/scripts/convert.py", line 188, in convert
if self.content["target"]["category"] == "file": # NOTE: i don't have enough reports to test if this will ever not be true;this is for safety -wb
KeyError: 'target'
CRITICAL:root:File failed to convert:
MATCH (m:malware) -[n]-> (r:windows-registry-key WHERE r.key =~ '.CurrentVersion\\Run\\.' OR r.key =~ '.CurrentVersion\\RunOnce\\.') RETURN m,r
Add the following
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.