mirror of https://github.com/MISP/misp-objects
168 lines
4.8 KiB
JSON
168 lines
4.8 KiB
JSON
|
{
|
||
|
"attributes": {
|
||
|
"alias": {
|
||
|
"description": "Alternative name used to identify this malware or malware family.",
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"architecture_execution_env": {
|
||
|
"description": "The processor architecture that the malware instance or family is executable on.",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"sane_default": [
|
||
|
"alpha",
|
||
|
"arm",
|
||
|
"ia-64",
|
||
|
"mips",
|
||
|
"powerpc",
|
||
|
"sparc",
|
||
|
"x86",
|
||
|
"x86-64"
|
||
|
],
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"capability": {
|
||
|
"description": "Any of the capabilities identified for the malware instance or family.",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"sane_default": [
|
||
|
"accesses-remote-machines",
|
||
|
"anti-debugging",
|
||
|
"anti-disassembly",
|
||
|
"anti-emulation",
|
||
|
"anti-memory-forensics",
|
||
|
"anti-sandbox",
|
||
|
"anti-vm",
|
||
|
"captures-input-peripherals",
|
||
|
"captures-output-peripherals",
|
||
|
"captures-system-state-data",
|
||
|
"cleans-traces-of-infection",
|
||
|
"commits-fraud",
|
||
|
"communicates-with-c2",
|
||
|
"compromises-data-availability",
|
||
|
"compromises-data-integrity",
|
||
|
"compromises-system-availability",
|
||
|
"controls-local-machine",
|
||
|
"degrades-security-software",
|
||
|
"degrades-system-updates",
|
||
|
"determines-c2-server",
|
||
|
"emails-spam",
|
||
|
"escalates-privileges",
|
||
|
"evades-av",
|
||
|
"exfiltrates-data",
|
||
|
"fingerprints-host",
|
||
|
"hides-artifacts",
|
||
|
"hides-executing-code",
|
||
|
"infects-files",
|
||
|
"infects-remote-machines",
|
||
|
"installs-other-components",
|
||
|
"persists-after-system-reboot",
|
||
|
"prevents-artifact-access",
|
||
|
"prevents-artifact-deletion",
|
||
|
"probes-network-environment",
|
||
|
"self-modifies",
|
||
|
"steals-authentication-credentials",
|
||
|
"violates-system-operational-integrity"
|
||
|
],
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"description": {
|
||
|
"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"first_seen": {
|
||
|
"description": "The time that the malware instance or family was first seen.",
|
||
|
"misp-attribute": "datetime",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"implementation_language": {
|
||
|
"description": "The programming language used to implement the malware instance or family.",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"sane_default": [
|
||
|
"applescript",
|
||
|
"bash",
|
||
|
"c",
|
||
|
"c++",
|
||
|
"c#",
|
||
|
"go",
|
||
|
"java",
|
||
|
"javascript",
|
||
|
"lua",
|
||
|
"objective-c",
|
||
|
"perl",
|
||
|
"php",
|
||
|
"powershell",
|
||
|
"python",
|
||
|
"ruby",
|
||
|
"scala",
|
||
|
"swift",
|
||
|
"typescript",
|
||
|
"visual-basic",
|
||
|
"x86-32",
|
||
|
"x86-64"
|
||
|
],
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"is_family": {
|
||
|
"description": "Defines whether the object represents a malware family or a malware instance.",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "bool",
|
||
|
"ui-priority": 1
|
||
|
},
|
||
|
"last_seen": {
|
||
|
"description": "The time that the malware family or malware instance was last seen.",
|
||
|
"misp-attribute": "datetime",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"malware_type": {
|
||
|
"description": "A set of categorizations for the malware being described.",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"sane_default": [
|
||
|
"adware",
|
||
|
"backdoor",
|
||
|
"bot",
|
||
|
"bootkit",
|
||
|
"ddos",
|
||
|
"downloader",
|
||
|
"dropper",
|
||
|
"exploit-kit",
|
||
|
"keylogger",
|
||
|
"ransomware",
|
||
|
"remote-access-trojan",
|
||
|
"resource-exploitation",
|
||
|
"rogue-security-software",
|
||
|
"rootkit",
|
||
|
"screen-capture",
|
||
|
"spyware",
|
||
|
"trojan",
|
||
|
"unknown",
|
||
|
"virus",
|
||
|
"webshell",
|
||
|
"wiper",
|
||
|
"worm"
|
||
|
],
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"name": {
|
||
|
"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
}
|
||
|
},
|
||
|
"description": "Malware is a type of TTP that represents malicious code.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "malware",
|
||
|
"required": [
|
||
|
"is_family"
|
||
|
],
|
||
|
"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
|
||
|
"version": 1
|
||
|
}
|