misp-taxonomies/malware/machinetag.json

163 lines
3.5 KiB
JSON
Raw Normal View History

2016-02-04 16:48:59 +01:00
{
"namespace": "malware_classification",
"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
"version": 1,
"predicates": [
{
"value": "malware-category",
"expanded": "Malware Category"
},
{
"value": "obfuscation-technique",
"expanded": "Obfuscation Technique"
},
{
"value": "payload-classification",
"expanded": "Payload Classification"
},
{
"value": "memory-classification",
"expanded": "Memory Classification"
}
],
"values": [
{
"predicate": "malware-category",
"entry": [
{
"value": "Virus",
"expanded": "Virus"
},
{
"value": "Worm",
"expanded": "Worm"
},
{
"value": "Trojan",
"expanded": "Trojan"
},
{
"value": "Ransomware",
"expanded": "Ransomware"
},
{
"value": "Rootkit",
"expanded": "Rootkit"
},
{
"value": "Downloader",
"expanded": "Downloader"
},
{
"value": "Adware",
"expanded": "Adware"
},
{
"value": "Spyware",
"expanded": "Spyware"
}
]
},
{
"predicate": "obfuscation-technique",
"entry": [
{
"value": "no-obfuscation",
"expanded": "No obfuscation is used"
},
{
"value": "encryption",
"expanded": "encryption"
},
{
"value": "oligomorphism",
"expanded": "oligomorphism"
},
{
"value": "metamorphism",
"expanded": "metamorphism"
},
{
"value": "stealth",
"expanded": "stealth"
},
{
"value": "armouring",
"expanded": "armouring"
},
{
"value": "encryption",
"expanded": "encryption"
},
{
"value": "tunneling",
"expanded": "tunneling"
},
{
"value": "XOR",
"expanded": "XOR"
},
{
"value": "BASE64",
"expanded": "BASE64"
},
{
"value": "ROT13",
"expanded": "ROT13"
}
]
},
{
"predicate": "payload-classification",
"entry": [
{
"value": "no-payload",
"expanded": "No payload"
},
{
"value": "non-destructive",
"expanded": "Non-Destructive"
},
{
"value": "destructive",
"expanded": "Destructive"
},
{
"value": "dropper",
"expanded": "Dropper"
}
]
},
{
"predicate": "memory-classification",
"entry": [
{
"value": "resident",
"expanded": "In memory"
},
{
"value": "temporary-resident",
"expanded": "In memory temporarily"
},
{
"value": "swapping-mode",
"expanded": "Only a part loaded in memory temporarily"
},
{
"value": "non-resident",
"expanded": "Not in memory"
},
{
"value": "user-process",
"expanded": "As a user level process"
},
{
"value": "kernel-process",
"expanded": "As a process in the kernel"
}
]
}
]
}