2016-02-04 16:48:59 +01:00
{
"namespace" : "malware_classification" ,
"description" : "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848" ,
"version" : 1 ,
"predicates" : [
{
"value" : "malware-category" ,
"expanded" : "Malware Category"
} ,
{
"value" : "obfuscation-technique" ,
"expanded" : "Obfuscation Technique"
} ,
{
"value" : "payload-classification" ,
"expanded" : "Payload Classification"
} ,
{
"value" : "memory-classification" ,
"expanded" : "Memory Classification"
}
] ,
"values" : [
{
"predicate" : "malware-category" ,
"entry" : [
{
"value" : "Virus" ,
"expanded" : "Virus"
} ,
{
"value" : "Worm" ,
"expanded" : "Worm"
} ,
{
"value" : "Trojan" ,
"expanded" : "Trojan"
} ,
{
"value" : "Ransomware" ,
"expanded" : "Ransomware"
} ,
{
"value" : "Rootkit" ,
"expanded" : "Rootkit"
} ,
{
"value" : "Downloader" ,
"expanded" : "Downloader"
} ,
{
"value" : "Adware" ,
"expanded" : "Adware"
} ,
{
"value" : "Spyware" ,
"expanded" : "Spyware"
2016-08-12 10:29:28 +02:00
} ,
{
"value" : "Botnet" ,
"expanded" : "Botnet"
2016-02-04 16:48:59 +01:00
}
]
} ,
{
"predicate" : "obfuscation-technique" ,
"entry" : [
{
"value" : "no-obfuscation" ,
"expanded" : "No obfuscation is used"
} ,
{
"value" : "encryption" ,
"expanded" : "encryption"
} ,
{
"value" : "oligomorphism" ,
"expanded" : "oligomorphism"
} ,
{
"value" : "metamorphism" ,
"expanded" : "metamorphism"
} ,
{
"value" : "stealth" ,
"expanded" : "stealth"
} ,
{
"value" : "armouring" ,
"expanded" : "armouring"
} ,
{
"value" : "encryption" ,
"expanded" : "encryption"
} ,
{
"value" : "tunneling" ,
"expanded" : "tunneling"
} ,
{
"value" : "XOR" ,
"expanded" : "XOR"
} ,
{
"value" : "BASE64" ,
"expanded" : "BASE64"
} ,
{
"value" : "ROT13" ,
"expanded" : "ROT13"
}
]
} ,
{
"predicate" : "payload-classification" ,
"entry" : [
{
"value" : "no-payload" ,
"expanded" : "No payload"
} ,
{
"value" : "non-destructive" ,
"expanded" : "Non-Destructive"
} ,
{
"value" : "destructive" ,
"expanded" : "Destructive"
} ,
{
"value" : "dropper" ,
"expanded" : "Dropper"
}
]
} ,
{
"predicate" : "memory-classification" ,
"entry" : [
{
"value" : "resident" ,
"expanded" : "In memory"
} ,
{
"value" : "temporary-resident" ,
"expanded" : "In memory temporarily"
} ,
{
"value" : "swapping-mode" ,
"expanded" : "Only a part loaded in memory temporarily"
} ,
{
"value" : "non-resident" ,
"expanded" : "Not in memory"
} ,
{
"value" : "user-process" ,
"expanded" : "As a user level process"
} ,
{
"value" : "kernel-process" ,
"expanded" : "As a process in the kernel"
}
]
}
]
}