forked from MAECProject/schemas
-
Notifications
You must be signed in to change notification settings - Fork 0
/
maec_package_schema.xsd
1095 lines (1095 loc) · 64.4 KB
/
maec_package_schema.xsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema elementFormDefault="qualified" attributeFormDefault="unqualified" targetNamespace="http://maec.mitre.org/XMLSchema/maec-package-2" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2" xmlns:maecBundle="http://maec.mitre.org/XMLSchema/maec-bundle-4" xmlns:metadata="http://xml/metadataSharing.xsd" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:URIObj="http://cybox.mitre.org/objects#URIObject-2" xmlns:SystemObj="http://cybox.mitre.org/objects#SystemObject-2" version="2.1">
<xs:import namespace="http://maec.mitre.org/XMLSchema/maec-bundle-4" schemaLocation="http://maec.mitre.org/language/version4.1/maec_bundle_schema.xsd"/>
<xs:import namespace="http://xml/metadataSharing.xsd" schemaLocation="http://grouper.ieee.org/groups/malware/malwg/Schema1.2/metadataSharing.xsd"/>
<xs:import namespace="http://cybox.mitre.org/cybox-2" schemaLocation="http://cybox.mitre.org/XMLSchema/core/2.1/cybox_core.xsd"/>
<xs:import namespace="http://cybox.mitre.org/objects#SystemObject-2" schemaLocation="http://cybox.mitre.org/XMLSchema/objects/System/2.1/System_Object.xsd"/>
<xs:import namespace="http://cybox.mitre.org/common-2" schemaLocation="http://cybox.mitre.org/XMLSchema/common/2.1/cybox_common.xsd"/>
<xs:annotation>
<xs:documentation>The following is a description of the elements, types, and attributes that compose the Malware Attribute Enumeration and Characterization (MAEC) package schema.</xs:documentation>
<xs:documentation>The MAEC Package Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.</xs:documentation>
<xs:documentation>The imported MMDEF v1.2 schema is copyright 2013 IEEE-SA.</xs:documentation>
<xs:appinfo>
<schema>MAEC Package Schema</schema>
<version>2.1</version>
<date>02/11/2014</date>
<terms_of_use>Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the MAEC License located at http://maec.mitre.org/about/termsofuse.html. See the MAEC License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the MAEC Schema, this license header must be included.</terms_of_use>
</xs:appinfo>
</xs:annotation>
<xs:import namespace="http://cybox.mitre.org/objects#URIObject-2" schemaLocation="http://cybox.mitre.org/XMLSchema/objects/URI/2.1/URI_Object.xsd"/>
<xs:import namespace="http://cybox.mitre.org/objects#FileObject-2" schemaLocation="http://cybox.mitre.org/XMLSchema/objects/File/2.1/File_Object.xsd"/>
<xs:element name="MAEC_Package" type="maecPackage:PackageType">
<xs:annotation>
<xs:documentation>The root element of the MAEC Package schema is the MAEC_Package, which captures a single MAEC Package that encompasses one or more Malware Subjects and all of their associated MAEC entities.</xs:documentation>
</xs:annotation>
<xs:unique name="unique-package-id">
<xs:selector xpath=".//*"/>
<xs:field xpath="@id"/>
</xs:unique>
</xs:element>
<xs:complexType name="AnalysisEnvironmentType">
<xs:annotation>
<xs:documentation>The AnalysisEnvironmentType provides mechanisms for characterizing the particular hardware/software environment used in the analysis of a Malware Subject.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Hypervisor_Host_System" type="maecPackage:HypervisorHostSystemType">
<xs:annotation>
<xs:documentation>The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Analysis_Systems" type="maecPackage:AnalysisSystemListType">
<xs:annotation>
<xs:documentation>The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Network_Infrastructure" type="maecPackage:NetworkInfrastructureType">
<xs:annotation>
<xs:documentation>The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SourceType">
<xs:annotation>
<xs:documentation>The SourceType provides a way of characterizing the external source of a relevant MAEC entity, such as an Analysis.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Name" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Name field refers to the name of the person linked to the source.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Method" type="xs:string">
<xs:annotation>
<xs:documentation>The Method field provides an abstract way of specifying the method used to obtain the data that the Source element refers to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Reference" type="xs:string">
<xs:annotation>
<xs:documentation>The Reference field provides an abstract way of specifying a reference name or ID for the source.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Organization" type="xs:string">
<xs:annotation>
<xs:documentation>The Organization field specifies the name of the organization from which the source originated.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="URL" type="xs:anyURI">
<xs:annotation>
<xs:documentation>The URL field specifies the the Uniform Resource Locator (URL) of the external source, if applicable.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CommentListType">
<xs:annotation>
<xs:documentation>The CommentListType provides a simple way of capturing any comments relating to MAEC entities, such as Analyses.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Comment" type="maecPackage:CommentType">
<xs:annotation>
<xs:documentation>The Comment field specifies a single comment pertaining to a particular MAEC entity.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AnalysisSystemListType">
<xs:annotation>
<xs:documentation>The AnalysisSystemListType captures a list of the systems, physical or virtual, used in the analysis of a Malware Subject.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Analysis_System" type="maecPackage:AnalysisSystemType">
<xs:annotation>
<xs:documentation>The Analysis_System field captures a single analysis system.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ToolListType">
<xs:annotation>
<xs:documentation>The ToolsType characterizes one or more tools, such as those used in the analysis of a Malware Subject.</xs:documentation>
</xs:annotation>
<xs:sequence maxOccurs="1">
<xs:element maxOccurs="unbounded" name="Tool" type="cyboxCommon:ToolInformationType" minOccurs="1">
<xs:annotation>
<xs:documentation>The Tool field specifies a single tool in the list.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CommentType">
<xs:annotation>
<xs:documentation>The CommentType captures a comment relating to some MAEC field.</xs:documentation>
</xs:annotation>
<xs:simpleContent>
<xs:extension base="cyboxCommon:StructuredTextType">
<xs:attribute name="author" type="xs:string">
<xs:annotation>
<xs:documentation>The author field specifies the name of the author that added the comment.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime">
<xs:annotation>
<xs:documentation>The timestamp field specifies the date/time that the comment was added.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="observation_name" type="xs:string">
<xs:annotation>
<xs:documentation>The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="AnalysisSystemType">
<xs:annotation>
<xs:documentation>The AnalysisSystemType is intended to characterize any systems on which malware analysis is performed. It imports and extends version 2.0.1 of the CybOX System Object.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="SystemObj:SystemObjectType">
<xs:sequence>
<xs:element minOccurs="0" name="Installed_Programs" type="maecPackage:InstalledProgramsType">
<xs:annotation>
<xs:documentation>The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="HypervisorHostSystemType">
<xs:annotation>
<xs:documentation>The HypervisorHostSystemType characterizes the VM Hypervisor host system used in the malware analysis environment.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="SystemObj:SystemObjectType">
<xs:sequence>
<xs:element minOccurs="0" name="VM_Hypervisor" type="cyboxCommon:PlatformSpecificationType">
<xs:annotation>
<xs:documentation>The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="DynamicAnalysisMetadataType">
<xs:annotation>
<xs:documentation>The DynamicAnalysisMetadataType captures any metadata specific to the dynamic analysis of a malware instance.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Command_Line" type="xs:string">
<xs:annotation>
<xs:documentation>The Command_Line field specifies the command line used to launch the subject binary. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Analysis_Duration" type="xs:float">
<xs:annotation>
<xs:documentation>The Analysis_Duration field specifies the duration of the overall dynamic analysis process, in seconds.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Exit_Code" type="xs:integer">
<xs:annotation>
<xs:documentation>The Exit_Code field specifies the exit code with which the subject binary exited. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Raised_Exception" type="maecPackage:MalwareExceptionType">
<xs:annotation>
<xs:documentation>The Raised_Exception field captures a single exception that was raised (or thrown) during the execution of the malware instance. More than one exception may be captured through the use of multiple instances of this field.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AnalysisType">
<xs:annotation>
<xs:documentation>The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Source" type="maecPackage:SourceType">
<xs:annotation>
<xs:documentation>The Source field specifies information about the internal or external source of the analysis, if applicable.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="1" minOccurs="0" name="Analysts" type="cyboxCommon:PersonnelType">
<xs:annotation>
<xs:documentation>The Analysts field specifies the analyst(s) who performed the analysis.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Summary" type="cyboxCommon:StructuredTextType">
<xs:annotation>
<xs:documentation>The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="1" minOccurs="0" name="Comments" type="maecPackage:CommentListType">
<xs:annotation>
<xs:documentation>The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Findings_Bundle_Reference" type="maecBundle:BundleReferenceType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="1" minOccurs="0" name="Tools" type="maecPackage:ToolListType">
<xs:annotation>
<xs:documentation>The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Dynamic_Analysis_Metadata" type="maecPackage:DynamicAnalysisMetadataType">
<xs:annotation>
<xs:documentation>The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Analysis_Environment" type="maecPackage:AnalysisEnvironmentType">
<xs:annotation>
<xs:documentation>The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Report" type="cyboxCommon:StructuredTextType">
<xs:annotation>
<xs:documentation>The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="id" type="xs:QName" use="required">
<xs:annotation>
<xs:documentation>The required id field specifies a unique ID for this Analysis.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="type" type="maecPackage:AnalysisTypeEnum">
<xs:annotation>
<xs:documentation>The type field specifies the type of malware analysis being performed.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="method" type="maecPackage:AnalysisMethodEnum">
<xs:annotation>
<xs:documentation>The method field specifies the analysis method used in the analysis. </xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="ordinal_position" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="start_datetime" type="xs:dateTime">
<xs:annotation>
<xs:documentation>The start_datetime field specifies the date/time the analysis was started.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="complete_datetime" type="xs:dateTime">
<xs:annotation>
<xs:documentation>The complete_datetime field specifies the date/time the analysis was completed.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="lastupdate_datetime" type="xs:dateTime">
<xs:annotation>
<xs:documentation>The lastupdate_datetime field specifies the date/time the analysis was last updated.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="AnalysisListType">
<xs:annotation>
<xs:documentation>The AnalysisListType captures a list of analyses that were performed on a Malware Subject.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Analysis" type="maecPackage:AnalysisType">
<xs:annotation>
<xs:documentation>The Analysis field represents the metadata regarding a single analysis that was performed on a Malware Subject.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="InstalledProgramsType">
<xs:annotation>
<xs:documentation>The InstalledProgramsType captures the programs installed on a particular operating system image.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Program" type="cyboxCommon:PlatformSpecificationType">
<xs:annotation>
<xs:documentation>The Program field specifies a single program that is installed on the system. It uses the PlatformSpecificationType from the CybOX Common schema.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="PackageType">
<xs:annotation>
<xs:documentation>The PackageType is the namesake type of the MAEC Package schema, and captures either a single Malware Subject, or a collection of Malware Subjects that are related in some way (even if exact details of the relationship are unknown). Unlike the MAEC Bundle, which captures only the MAEC-characterized analysis results for a malware instance, the Package permits the capture of additional metadata relating to the analysis, relationships between Malware Subjects, and similar types of entities.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Malware_Subjects" type="maecPackage:MalwareSubjectListType">
<xs:annotation>
<xs:documentation>The Malware_Subjects field captures each of the Malware Subjects contained in the Package.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Grouping_Relationships" type="maecPackage:GroupingRelationshipListType">
<xs:annotation>
<xs:documentation>The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:QName">
<xs:annotation>
<xs:documentation>The required id field specifies a unique ID for this Package.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute fixed="2.1" name="schema_version" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime">
<xs:annotation>
<xs:documentation>The timestamp field specifies the date/time that the Package was generated.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="MalwareSubjectType">
<xs:annotation>
<xs:documentation>The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="1" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType">
<xs:annotation>
<xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding CybOX Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Label" type="cyboxCommon:ControlledVocabularyStringType">
<xs:annotation>
<xs:documentation>The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g. "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Configuration_Details" type="maecPackage:MalwareConfigurationDetailsType">
<xs:annotation>
<xs:documentation>The Configuration_Details field captures details of the configuration specified for the Malware Subject, such as configuration parameters.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Development_Environment" type="maecPackage:MalwareDevelopmentEnvironmentType">
<xs:annotation>
<xs:documentation>The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Minor_Variants" type="maecPackage:MinorVariantListType">
<xs:annotation>
<xs:documentation>The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Field_Data" type="metadata:fieldDataEntry">
<xs:annotation>
<xs:documentation>The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Analyses" type="maecPackage:AnalysisListType">
<xs:annotation>
<xs:documentation>The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Findings_Bundles" type="maecPackage:FindingsBundleListType">
<xs:annotation>
<xs:documentation>The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Relationships" type="maecPackage:MalwareSubjectRelationshipListType">
<xs:annotation>
<xs:documentation>The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Compatible_Platform" type="cyboxCommon:PlatformSpecificationType">
<xs:annotation>
<xs:documentation>The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e. can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:QName">
<xs:annotation>
<xs:documentation>The required id field specifies a unique ID for this Malware Subject.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="MetaAnalysisType">
<xs:annotation>
<xs:documentation>The MetaAnalysisType captures meta-analysis entities associated with the Bundles that were captured for a Malware Subject, such as Action Equivalencies.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Action_Equivalences" type="maecPackage:ActionEquivalenceListType">
<xs:annotation>
<xs:documentation>The Action_Equivalences field captures any equivalences between Actions contained in one or more Bundles.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Object_Equivalences" type="maecPackage:ObjectEquivalenceListType">
<xs:annotation>
<xs:documentation>The Object_Equivalences field captures any equivalences between Objects contained in one or more Bundles.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareSubjectRelationshipType">
<xs:annotation>
<xs:documentation>The MalwareSubjectRelationshipType provides a mechanism for capturing the relationships between a Malware Subject and one or more other Malware Subjects.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="1" name="Type" type="cyboxCommon:ControlledVocabularyStringType">
<xs:annotation>
<xs:documentation>The Type field specifies the type of relationship being captured.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" name="Malware_Subject_Reference" type="maecPackage:MalwareSubjectReferenceType">
<xs:annotation>
<xs:documentation>The Malware_Subject_Reference field provides a reference to a single Malware Subject that this relationship pertains to.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareSubjectRelationshipListType">
<xs:annotation>
<xs:documentation>The MalwareSubjectRelationshipListType captures a list of relationships between a Malware Subject and other Malware Subjects.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Relationship" maxOccurs="unbounded" type="maecPackage:MalwareSubjectRelationshipType">
<xs:annotation>
<xs:documentation>The Relationship field specifies a relationship that relates the Malware Subject to one or more other Malware Subjects contained in the Package.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareSubjectReferenceType">
<xs:annotation>
<xs:documentation>The MalwareSubjectReferenceType provides a mechanism for specifying a reference to a Malware Subject contained in the Package.</xs:documentation>
</xs:annotation>
<xs:attribute name="malware_subject_idref" type="xs:QName" use="required">
<xs:annotation>
<xs:documentation>The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="MalwareSubjectListType">
<xs:annotation>
<xs:documentation>The MalwareSubjectListType captures a list of Malware Subjects.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Malware_Subject" type="maecPackage:MalwareSubjectType">
<xs:annotation>
<xs:documentation>The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MinorVariantListType">
<xs:annotation>
<xs:documentation>The MinorVariantListType captures a list of minor variants of a Malware Subject's malware instance object. For example, the same binary with but with different filenames.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1" name="Minor_Variant" type="cybox:ObjectType">
<xs:annotation>
<xs:documentation>The Minor_Variant field captures a single minor variant of the malware instance object.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="FindingsBundleListType">
<xs:annotation>
<xs:documentation>The FindingsBundleListType captures a list of Bundles or external references to Bundles, along with any related meta-analysis entities.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Meta_Analysis" type="maecPackage:MetaAnalysisType">
<xs:annotation>
<xs:documentation>The Meta_Analysis field captures any meta-analysis related entities for the Bundles captured for a Malware Subject, such as equivalencies.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" name="Bundle" type="maecBundle:BundleType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Bundle field captures a single MAEC Bundle, representing some set of characterized entities resulting from analysis of the Malware Subject.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Bundle_External_Reference" type="xs:anyURI">
<xs:annotation>
<xs:documentation>The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="GroupingRelationshipType">
<xs:annotation>
<xs:documentation>The GroupingRelationshipType provides a mechanism for specifying the relationship that groups together the Malware Subjects in a Package.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType">
<xs:annotation>
<xs:documentation>The Type field specifies the type of relationship that groups the Malware Subjects in the Package.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Malware_Family_Name" type="xs:string">
<xs:annotation>
<xs:documentation>The Malware_Family_Name field specifies the name of the malware family referred to by the 'same_malware_family' relationship type.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Malware_Toolkit_Name" type="xs:string">
<xs:annotation>
<xs:documentation>The Malware_Toolkit_Name field specifies the name of the malware toolkit referred to by the 'same_malware_toolkit' relationship type.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Clustering_Metadata" type="maecPackage:ClusteringMetadataType">
<xs:annotation>
<xs:documentation>The Clustering_Metadata field specifies any metadata regarding the algorithm and/or methods used for cluster the Malware Subjects in this Package.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="GroupingRelationshipListType">
<xs:annotation>
<xs:documentation>The GroupingRelationshipListType captures a list of grouping relationships relating the Malware Subjects in a Package.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Grouping_Relationship" type="maecPackage:GroupingRelationshipType">
<xs:annotation>
<xs:documentation>The Grouping_Relationship field specifies a single grouping relationship in the list.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ClusteringMetadataType">
<xs:annotation>
<xs:documentation>The ClusteringMetadataType specifies any metadata regarding the algorithm and/or methods used for clustering the Malware Subjects in this Package, for use in the ‘clustered together’ relationship type.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Algorithm_Name" type="xs:string">
<xs:annotation>
<xs:documentation>The Algorithm_Name field specifies the name of the clustering algorithm used to cluster the malware.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Algorithm_Version" type="xs:string">
<xs:annotation>
<xs:documentation>The Algorithm_Version field specifies the version of the algorithm used to cluster the malware.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Algorithm_Parameters" type="maecPackage:ClusteringAlgorithmParametersType">
<xs:annotation>
<xs:documentation>The Algorithm_Parameters field specifies any parameters that may have been used in the clustering algorithm.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Cluster_Size" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>The Cluster_Size field specifies the size of the malware cluster.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Cluster_Description" type="xs:string">
<xs:annotation>
<xs:documentation>The Cluster_Description field provides a textual description of the malware cluster, such as information about its composition, etc.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Cluster_Composition" minOccurs="0" type="maecPackage:ClusterCompositionType">
<xs:annotation>
<xs:documentation>The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ClusterEdgeNodePairType">
<xs:annotation>
<xs:documentation>The ClusterEdgeNodePairType captures a single edge-node pair in a malware cluster, which is composed of the two Malware Subjects that correspond to the nodes connected to the edge (via references), and represents the similarity index between the two Malware Subjects.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="1" name="Malware_Subject_Node_A" type="maecPackage:MalwareSubjectReferenceType">
<xs:annotation>
<xs:documentation>The Malware_Subject_Node_A field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Malware_Subject_Node_B" type="maecPackage:MalwareSubjectReferenceType">
<xs:annotation>
<xs:documentation>The Malware_Subject_Node_B field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="similarity_index" type="xs:decimal">
<xs:annotation>
<xs:documentation>The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="similarity_distance" type="xs:decimal">
<xs:annotation>
<xs:documentation>The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="ClusterCompositionType">
<xs:annotation>
<xs:documentation>The ClusterCompositionType captures the composition of a malware cluster via its edges and their respective connected nodes, as in an undirected graph.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Edge_Node_Pair" type="maecPackage:ClusterEdgeNodePairType">
<xs:annotation>
<xs:documentation>The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="score_type" type="xs:string">
<xs:annotation>
<xs:documentation>For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="ClusteringAlgorithmParametersType">
<xs:annotation>
<xs:documentation>The ClusteringAlgorithmParametersType captures any parameters that may have been used in a malware clustering algorithm.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Distance_Threshold" type="xs:decimal">
<xs:annotation>
<xs:documentation>The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Number_of_Iterations" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>The Number_of_Iterations field specifies the number of times that the algorithm was executed in order to produce the cluster.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="NetworkInfrastructureType">
<xs:annotation>
<xs:documentation>The NetworkInfrastructureType captures specific details about the network infrastructure used in the malware analysis environment.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="1" name="Captured_Protocols" type="maecPackage:CapturedProtocolListType">
<xs:annotation>
<xs:documentation>The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ActionEquivalenceType">
<xs:annotation>
<xs:documentation>The ActionEquivalenceType relates any Actions that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools. It can be used as a way of referencing equivalent actions as a single unit, such as for specifying the Action composition of a Behavior.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType">
<xs:annotation>
<xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the Action Equivalency.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:QName">
<xs:annotation>
<xs:documentation>The required id field specifies a unique ID for the Action Equivalence.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="ActionEquivalenceListType">
<xs:annotation>
<xs:documentation>The ActionEquivalenceListType captures a list of Action Equivalences.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Action_Equivalence" type="maecPackage:ActionEquivalenceType">
<xs:annotation>
<xs:documentation>The Action_Equivalence field captures a single Action Equivalence in the list.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CapturedProtocolListType">
<xs:annotation>
<xs:documentation>The CapturedProtocolListType specifies a list of network protocols that a malware analysis environment may capture or interact with.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Protocol" type="maecPackage:CapturedProtocolType">
<xs:annotation>
<xs:documentation>The Protocol field specifies a single layer 4 or layer 7 network protocol captured or interacted with by the analysis environment.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CapturedProtocolType">
<xs:annotation>
<xs:documentation>The CapturedProtocolType specifies the details of a network protocol that may be captured or otherwise manipulated in the malware analysis environment.</xs:documentation>
</xs:annotation>
<xs:attribute name="layer7_protocol" type="maecPackage:Layer7ProtocolEnum">
<xs:annotation>
<xs:documentation>The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="layer4_protocol" type="maecPackage:Layer4ProtocolEnum">
<xs:annotation>
<xs:documentation>The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="port_number" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="interaction_level" type="maecPackage:InteractionLevelEnum">
<xs:annotation>
<xs:documentation>The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="ObjectEquivalenceType">
<xs:annotation>
<xs:documentation>The ObjectEquivalenceType relates the Objects that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="maecBundle:ObjectReferenceListType">
<xs:attribute name="id" type="xs:QName" use="required">
<xs:annotation>
<xs:documentation>The required id field specifies a unique ID for the Object Equivalence.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="ObjectEquivalenceListType">
<xs:annotation>
<xs:documentation>The ObjectEquivalenceListType captures a list of Object Equivalences.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Object_Equivalence" type="maecPackage:ObjectEquivalenceType">
<xs:annotation>
<xs:documentation>The Object_Equivalence field specifies a single Object Equivalence in the list.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareConfigurationParameterType">
<xs:annotation>
<xs:documentation>The MalwareConfigurationParameterType captures a single configuration parameter that may be defined for a malware instance, as a name/value pair.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType">
<xs:annotation>
<xs:documentation>The Name field specifies the name of the malware configuration parameter. It uses the MalwareConfigurationParameterVocab vocabulary from the MAEC Default Vocabularies schemas as its default vocabulary. Parameters that are not included in this vocabulary may also be specified, in which case it is recommended to use the exact name of the parameter.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Value" type="xs:string">
<xs:annotation>
<xs:documentation>The Value field captures the value of the malware configuration parameter.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareConfigurationDetailsType">
<xs:annotation>
<xs:documentation>The MalwareConfigurationDetailsType captures details of malware configuration parameters and associated metadata.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Storage" type="maecPackage:MalwareConfigurationStorageDetailsType">
<xs:annotation>
<xs:documentation>The Storage field captures details of the how the malware configuration parameters may be stored, e.g. in a separate file, in memory, etc.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Obfuscation" type="maecPackage:MalwareConfigurationObfuscationDetailsType">
<xs:annotation>
<xs:documentation>The Encryption field captures details of how the malware configuration parameters may be obfuscated, if applicable.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Configuration_Parameter" type="maecPackage:MalwareConfigurationParameterType">
<xs:annotation>
<xs:documentation>The Configuration_Parameter field captures a single configuration parameter that may be defined for the Malware Subject. More than one configuration parameter may be specified by using multiple occurrences of this field.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareConfigurationObfuscationDetailsType">
<xs:annotation>
<xs:documentation>The MalwareConfigurationObfuscationDetailsType captures details relating to the obfuscation of malware configuration parameters.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Algorithm_Details" type="maecPackage:MalwareConfigurationObfuscationAlgorithmType">
<xs:annotation>
<xs:documentation>The Algorithm_Details field captures an the details of the algorithm used to encode or encrypt the malware configuration parameters, including the name of the algorithm and its key. More than one encryption or encoding algorithm may be specified by using multiple occurrences of this field.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="is_encoded" type="xs:boolean">
<xs:annotation>
<xs:documentation>The is_encoded field specifies that the malware configuration parameters are encoded with the algorithm captured in the Algorithm_Details field.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="is_encrypted" type="xs:boolean">
<xs:annotation>
<xs:documentation>The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="MalwareConfigurationObfuscationAlgorithmType">
<xs:annotation>
<xs:documentation>The MalwareConfigurationObfuscationDetailsType captures of an algorithm used to encode or encrypt malware configuration parameters.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Key" type="xs:hexBinary">
<xs:annotation>
<xs:documentation>The Key field captures the hexadecimal key used to decrypt the configuration parameters.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="1" minOccurs="0" name="Algorithm_Name" type="cyboxCommon:ControlledVocabularyStringType">
<xs:annotation>
<xs:documentation>The Algorithm_Name field captures the name of the encoding or encryption algorithm used to obfuscate the malware configuration parameters.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="ordinal_position" type="xs:positiveInteger">
<xs:annotation>
<xs:documentation>The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:complexType name="MalwareConfigurationStorageDetailsType">
<xs:annotation>
<xs:documentation>The MalwareConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Malware_Binary" type="maecPackage:MalwareBinaryConfigurationStorageDetailsType">
<xs:annotation>
<xs:documentation>The Malware_Binary field captures properties related to the storage of malware configuration parameters inside the malware binary captured in the Malware_Instance_Object_Attributes field.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="File" type="FileObj:FileObjectType">
<xs:annotation>
<xs:documentation>The File field captures the properties of a configuration file, for cases where the Malware Subject stores its configuration parameters in a separate file.</xs:documentation>
<xs:documentation>This field uses the FileObjectType from the imported CybOX File Object.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="URL" type="URIObj:URIObjectType">
<xs:annotation>
<xs:documentation>The URL field captures a URL at which the configuration parameters for the Malware Subject may be stored. More than one such URL may be specified by using multiple occurrences of this field.</xs:documentation>
<xs:documentation>This field uses the URIObjectType from the import CybOX URI Object.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareBinaryConfigurationStorageDetailsType">
<xs:annotation>
<xs:documentation>The MalwareBinaryConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters inside the malware binary itself.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="File_Offset" type="xs:hexBinary">
<xs:annotation>
<xs:documentation>The File_Offset field specifies the offset to the start of the malware configuration parameters in the malware binary.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Section_Name" type="xs:string">
<xs:annotation>
<xs:documentation>The Section_Name field specifies the name of the PE section in the malware binary thta contains the malware configuration parameters, for PE file malware binaries.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Section_Offset" type="xs:hexBinary">
<xs:annotation>
<xs:documentation>The Section_Offset field specifies the offset in the PE section in the malware binary that contains the malware configuration parameters to the start of the parameters themselves, for PE file malware binaries.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareDevelopmentEnvironmentType">
<xs:annotation>
<xs:documentation>The MalwareDevelopmentEnvironmentType captures details of the development environment used in developing the malware instance, such as information on any tools that were used.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element minOccurs="0" name="Tools" type="cyboxCommon:ToolsInformationType">
<xs:annotation>
<xs:documentation>The Tools field captures the properties of one or more tools used in the development of the malware instance. For the Type field in each Tool, the MAEC MalwareDevelopmentToolVocab (from the MAEC Default Vocabularies Schema) should be used as the default vocabulary.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element maxOccurs="unbounded" minOccurs="0" name="Debugging_File" type="FileObj:FileObjectType">
<xs:annotation>
<xs:documentation>The Debugging_File field captures the properties of a debugging file associated with the malware instance, such as a PDB file. It uses the FileObjectType from the imported File Object Schema. More than one Debugging_File can be specified by using multiple instances of this field.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="MalwareExceptionType">
<xs:annotation>
<xs:documentation>The MalwareExceptionType captures details of exceptions that may be raised as a result of a malware instance executing on a system.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="cyboxCommon:ErrorType">
<xs:sequence>
<xs:element minOccurs="0" name="Exception_Code" type="xs:string">
<xs:annotation>
<xs:documentation>The Exception_Code field captures the particular code that identifies the type of exception that occurred. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Faulting_Address" type="xs:hexBinary">
<xs:annotation>
<xs:documentation>The Faulting_Address field captures the memory address where the exception occurred.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" name="Description" type="xs:short">
<xs:annotation>
<xs:documentation>The Description field captures the textual description of the exception.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="is_fatal" type="xs:boolean">
<xs:annotation>
<xs:documentation>The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:simpleType name="AnalysisTypeEnum">
<xs:annotation>
<xs:documentation>The AnalysisTypeEnum is an enumeration of types of malware analyses.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="triage">
<xs:annotation>
<xs:documentation>The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="in-depth">
<xs:annotation>
<xs:documentation>The in-depth value specifies a detailed type of malware analysis that is typically performed by a human analyst.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="AnalysisMethodEnum">
<xs:annotation>
<xs:documentation>The AnalysisMethodEnum is an enumeration of malware analysis methods.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="static">
<xs:annotation>
<xs:documentation>The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="dynamic">
<xs:annotation>
<xs:documentation>The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="combination">
<xs:annotation>
<xs:documentation>The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="InteractionLevelEnum">
<xs:annotation>
<xs:documentation>The InteractionLevelEnum is a non-exhaustive enumeration of interaction levels for network protocols in a malware analysis environment.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="high">
<xs:annotation>
<xs:documentation>The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="low">
<xs:annotation>
<xs:documentation>The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="honeytrap">
<xs:annotation>
<xs:documentation>The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="live">
<xs:annotation>
<xs:documentation>The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="none">
<xs:annotation>
<xs:documentation>The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>