static_triage_example.json is invalid

[chisholm]

• The subsystem_hex property of the windows-pebinary-ext extension must have hex-encoded binary, but the actual value was the string "Windows_GUI". I just ascii-encoded that string and then hex-encoded the result.

• file SCO "2" is missing name/hash properties. This content seems to represent static analysis of the file represented by SCO "0". The analysis results are represented by file SCO "2". Since results "2" are about file "0", it seems like the same properties from "0" should apply to "2". So I just copied the name/hashes/size properties over.

This example translates now, but stix2 still won't parse it because it doesn't recognize the x-maec-packer-list extension.

[clenk]

Looking at https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32 it seems that the hex value for Windows_GUI should be 2.

Replicating the name/hash makes sense to me since they're representing the same file.

[chisholm]

Well that looks even better! Fixed.