-
Notifications
You must be signed in to change notification settings - Fork 16
/
malware-instance.json
90 lines (90 loc) · 5.59 KB
/
malware-instance.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
{
"$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"malware-instance": {
"title": "MalwareInstance",
"type": "object",
"description": "A Malware Instance can be thought of as a single member of a Malware Family that is typically packaged as a binary. ",
"properties": {
"type": {
"type": "string",
"enum": ["malware-instance"]
},
"id": {
"type": "string",
"description": "Specifies a unique ID for this Malware Instance."
},
"instance_object_refs": {
"type": "array",
"items": {"type": "string"},
"description": "References the Cyber Observable Objects that characterize the packaged code (typically a binary) associated with the Malware Instance Object. For most use cases, the object referenced SHOULD be of STIX Cyber Observable type file. Objects referenced MUST be specified in the observable_objects property of the Package."
},
"name": {
"$ref": "name.json#/definitions/name",
"description": "Captures the name of the malware instance characterized by the Malware Instance. These names are assigned by the producer of the MAEC document, and may come from various sources, including from an analyst or as reported by a tool (e.g., an AV classification tool)."
},
"aliases": {
"type": "array",
"items": {"$ref": "name.json#/definitions/name"},
"description": "Captures any aliases for the malware instance name associated with the Malware Instance, as reported by sources other than the producer of the MAEC document (e.g., AV vendors)."
},
"labels": {
"type": "array",
"items": {"type": "string"},
"description": "Specifies commonly accepted labels used to describe the Malware Instance, e.g. \\“worm.\\” The values for this property SHOULD come from the malware-label-ov vocabulary."
},
"description": {
"type": "string",
"description": "Captures a basic, textual description of the Malware Instance."
},
"field_data":{
"$ref": "field-data.json#/definitions/field-data",
"description": "Specifies general metadata about the Malware Instance (e.g. first seen and last seen dates)."
},
"os_execution_envs": {
"type": "array",
"items": {"type": "string"},
"description": "Specifies the operating systems that the Malware Instance executes on. The values for this property SHOULD come from the operating-system-ov vocabulary."
},
"architecture_execution_envs": {
"type": "array",
"items":{"type": "string"},
"description": "Specifies the processor architectures that the Malware Instance executes on. The values for this property SHOULD come from the processor-architecture-ov vocabulary."
},
"capabilities":{
"type": "array",
"items":{"$ref": "capability.json#/definitions/capability"},
"description": "Specifies a set of one or more Capabilities possessed by the Malware Instance."
},
"os_features":{
"type": "array",
"items":{"type": "string"},
"description": "Specifies any operating system-specific features used by the malware instance. Each item in the list specifies a single feature. The values for this property SHOULD come from the os-features-android-ov, os-features-ios-ov, os-features-linux-ov, os-features-macosx-ov or os-features-windows-ov vocabularies"
},
"dynamic_features":{
"$ref": "dynamic-features.json#/definitions/dynamic-features",
"description": "Captures features associated with the semantics of the code executed by the Malware Instance. Note that DynamicFeaturesType captures multiple features."
},
"static_features":{
"$ref": "static-features.json#/definitions/static-features",
"description": "Captures features associated with the binary that aren’t related to the semantics of the code (e.g., strings, packer information). Note that StaticFeaturesType captures multiple static features."
},
"analysis_metadata": {
"type": "array",
"items": {"$ref": "analysis-metadata.json#/definitions/analysis-metadata"},
"description": "Captures metadata associated with the analyses performed on the Malware Instance (e.g., the tools that were used)."
},
"triggered_signatures": {
"type": "array",
"items": {"$ref": "signature-metadata.json#/definitions/signature-metadata"},
"description": "Captures metadata associated with any signatures or rule (e.g. YARA) that were triggered during the analysis of the malware instance."
}
},
"required": [
"type",
"id",
"instance_object_refs"
]
}
}
}