-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #403 from MISP/chrisr3d_patch
Malware & Malware Analysis objects
- Loading branch information
Showing
3 changed files
with
249 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
{ | ||
"attributes": { | ||
"analysis_definition_version": { | ||
"description": "The version of the analysis definitions used by the analysis tool.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"analysis_engine_version": { | ||
"description": "The version of the analysis engine or product that was used to perform the analysis.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"configuration_version": { | ||
"description": "The named configuration of additional product configuration parameters for this analysis run.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"end_time": { | ||
"description": "The date and time that the malware analysis ended.", | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"module": { | ||
"description": "The specific analysis module that was used and configured in the product during this analysis run.", | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"ui-priority": 0 | ||
}, | ||
"product": { | ||
"description": "The name of the analysis engine or product that was used.", | ||
"misp-attribute": "text", | ||
"ui-priority": 1 | ||
}, | ||
"result": { | ||
"description": "The classification result as determined by the scanner or tool analysis process.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"sane_default": [ | ||
"benign", | ||
"malicious", | ||
"suspicious", | ||
"unknown" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"result_name": { | ||
"description": "The classification result or name assigned to the malware instance by the scanner tool.", | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"start_time": { | ||
"description": "The date and time that the malware analysis was initiated.", | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"submitted_time": { | ||
"description": "The date and time that the malware was first submitted for scanning or analysis.", | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"version": { | ||
"description": "The version of the analysis product that was used to perform the analysis.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
} | ||
}, | ||
"description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.", | ||
"meta-category": "misc", | ||
"name": "malware-analysis", | ||
"required": [ | ||
"product" | ||
], | ||
"uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,168 @@ | ||
{ | ||
"attributes": { | ||
"alias": { | ||
"description": "Alternative name used to identify this malware or malware family.", | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"ui-priority": 0 | ||
}, | ||
"architecture_execution_env": { | ||
"description": "The processor architecture that the malware instance or family is executable on.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"sane_default": [ | ||
"alpha", | ||
"arm", | ||
"ia-64", | ||
"mips", | ||
"powerpc", | ||
"sparc", | ||
"x86", | ||
"x86-64" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"capability": { | ||
"description": "Any of the capabilities identified for the malware instance or family.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"sane_default": [ | ||
"accesses-remote-machines", | ||
"anti-debugging", | ||
"anti-disassembly", | ||
"anti-emulation", | ||
"anti-memory-forensics", | ||
"anti-sandbox", | ||
"anti-vm", | ||
"captures-input-peripherals", | ||
"captures-output-peripherals", | ||
"captures-system-state-data", | ||
"cleans-traces-of-infection", | ||
"commits-fraud", | ||
"communicates-with-c2", | ||
"compromises-data-availability", | ||
"compromises-data-integrity", | ||
"compromises-system-availability", | ||
"controls-local-machine", | ||
"degrades-security-software", | ||
"degrades-system-updates", | ||
"determines-c2-server", | ||
"emails-spam", | ||
"escalates-privileges", | ||
"evades-av", | ||
"exfiltrates-data", | ||
"fingerprints-host", | ||
"hides-artifacts", | ||
"hides-executing-code", | ||
"infects-files", | ||
"infects-remote-machines", | ||
"installs-other-components", | ||
"persists-after-system-reboot", | ||
"prevents-artifact-access", | ||
"prevents-artifact-deletion", | ||
"probes-network-environment", | ||
"self-modifies", | ||
"steals-authentication-credentials", | ||
"violates-system-operational-integrity" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"description": { | ||
"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.", | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"first_seen": { | ||
"description": "The time that the malware instance or family was first seen.", | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"implementation_language": { | ||
"description": "The programming language used to implement the malware instance or family.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"sane_default": [ | ||
"applescript", | ||
"bash", | ||
"c", | ||
"c++", | ||
"c#", | ||
"go", | ||
"java", | ||
"javascript", | ||
"lua", | ||
"objective-c", | ||
"perl", | ||
"php", | ||
"powershell", | ||
"python", | ||
"ruby", | ||
"scala", | ||
"swift", | ||
"typescript", | ||
"visual-basic", | ||
"x86-32", | ||
"x86-64" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"is_family": { | ||
"description": "Defines whether the object represents a malware family or a malware instance.", | ||
"disable_correlation": true, | ||
"misp-attribute": "boolean", | ||
"ui-priority": 1 | ||
}, | ||
"last_seen": { | ||
"description": "The time that the malware family or malware instance was last seen.", | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"malware_type": { | ||
"description": "A set of categorizations for the malware being described.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"sane_default": [ | ||
"adware", | ||
"backdoor", | ||
"bot", | ||
"bootkit", | ||
"ddos", | ||
"downloader", | ||
"dropper", | ||
"exploit-kit", | ||
"keylogger", | ||
"ransomware", | ||
"remote-access-trojan", | ||
"resource-exploitation", | ||
"rogue-security-software", | ||
"rootkit", | ||
"screen-capture", | ||
"spyware", | ||
"trojan", | ||
"unknown", | ||
"virus", | ||
"webshell", | ||
"wiper", | ||
"worm" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"name": { | ||
"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.", | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
} | ||
}, | ||
"description": "Malware is a type of TTP that represents malicious code.", | ||
"meta-category": "misc", | ||
"name": "malware", | ||
"required": [ | ||
"is_family" | ||
], | ||
"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d", | ||
"version": 1 | ||
} |