{ "attributes": { "alias": { "description": "Alternative name used to identify this malware or malware family.", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "architecture_execution_env": { "description": "The processor architecture that the malware instance or family is executable on.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "sane_default": [ "alpha", "arm", "ia-64", "mips", "powerpc", "sparc", "x86", "x86-64" ], "ui-priority": 0 }, "capability": { "description": "Any of the capabilities identified for the malware instance or family.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "sane_default": [ "accesses-remote-machines", "anti-debugging", "anti-disassembly", "anti-emulation", "anti-memory-forensics", "anti-sandbox", "anti-vm", "captures-input-peripherals", "captures-output-peripherals", "captures-system-state-data", "cleans-traces-of-infection", "commits-fraud", "communicates-with-c2", "compromises-data-availability", "compromises-data-integrity", "compromises-system-availability", "controls-local-machine", "degrades-security-software", "degrades-system-updates", "determines-c2-server", "emails-spam", "escalates-privileges", "evades-av", "exfiltrates-data", "fingerprints-host", "hides-artifacts", "hides-executing-code", "infects-files", "infects-remote-machines", "installs-other-components", "persists-after-system-reboot", "prevents-artifact-access", "prevents-artifact-deletion", "probes-network-environment", "self-modifies", "steals-authentication-credentials", "violates-system-operational-integrity" ], "ui-priority": 0 }, "description": { "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.", "misp-attribute": "text", "ui-priority": 0 }, "first_seen": { "description": "The time that the malware instance or family was first seen.", "misp-attribute": "datetime", "ui-priority": 0 }, "implementation_language": { "description": "The programming language used to implement the malware instance or family.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "sane_default": [ "applescript", "bash", "c", "c++", "c#", "go", "java", "javascript", "lua", "objective-c", "perl", "php", "powershell", "python", "ruby", "scala", "swift", "typescript", "visual-basic", "x86-32", "x86-64" ], "ui-priority": 0 }, "is_family": { "description": "Defines whether the object represents a malware family or a malware instance.", "disable_correlation": true, "misp-attribute": "boolean", "ui-priority": 1 }, "last_seen": { "description": "The time that the malware family or malware instance was last seen.", "misp-attribute": "datetime", "ui-priority": 0 }, "malware_type": { "description": "A set of categorizations for the malware being described.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "sane_default": [ "adware", "backdoor", "bot", "bootkit", "ddos", "downloader", "dropper", "exploit-kit", "keylogger", "ransomware", "remote-access-trojan", "resource-exploitation", "rogue-security-software", "rootkit", "screen-capture", "spyware", "trojan", "unknown", "virus", "webshell", "wiper", "worm" ], "ui-priority": 0 }, "name": { "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.", "misp-attribute": "text", "ui-priority": 0 } }, "description": "Malware is a type of TTP that represents malicious code.", "meta-category": "misc", "name": "malware", "required": [ "is_family" ], "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d", "version": 1 }