misp-taxonomies/malware_classification/machinetag.json

{
  "namespace": "malware_classification",
  "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
  "version": 2,
  "predicates": [
    {
      "value": "malware-category",
      "expanded": "Malware Category"
    },
    {
      "value": "obfuscation-technique",
      "expanded": "Obfuscation Technique"
    },
    {
      "value": "payload-classification",
      "expanded": "Payload Classification"
    },
    {
      "value": "memory-classification",
      "expanded": "Memory Classification"
    }
  ],
  "values": [
    {
      "predicate": "malware-category",
      "entry": [
        {
          "value": "Virus",
          "expanded": "Virus"
        },
        {
          "value": "Worm",
          "expanded": "Worm"
        },
        {
          "value": "Trojan",
          "expanded": "Trojan"
        },
        {
          "value": "Ransomware",
          "expanded": "Ransomware"
        },
        {
          "value": "Rootkit",
          "expanded": "Rootkit"
        },
        {
          "value": "Downloader",
          "expanded": "Downloader"
        },
        {
          "value": "Adware",
          "expanded": "Adware"
        },
        {
          "value": "Spyware",
          "expanded": "Spyware"
        },
        {
          "value": "Botnet",
          "expanded": "Botnet"
        }
      ]
    },
    {
      "predicate": "obfuscation-technique",
      "entry": [
        {
          "value": "no-obfuscation",
          "expanded": "No obfuscation is used"
        },
        {
          "value": "encryption",
          "expanded": "encryption"
        },
        {
          "value": "oligomorphism",
          "expanded": "oligomorphism"
        },
        {
          "value": "metamorphism",
          "expanded": "metamorphism"
        },
        {
          "value": "stealth",
          "expanded": "stealth"
        },
        {
          "value": "armouring",
          "expanded": "armouring"
        },
        {
          "value": "tunneling",
          "expanded": "tunneling"
        },
        {
          "value": "XOR",
          "expanded": "XOR"
        },
        {
          "value": "BASE64",
          "expanded": "BASE64"
        },
        {
          "value": "ROT13",
          "expanded": "ROT13"
        }
      ]
    },
    {
      "predicate": "payload-classification",
      "entry": [
        {
          "value": "no-payload",
          "expanded": "No payload"
        },
        {
          "value": "non-destructive",
          "expanded": "Non-Destructive"
        },
        {
          "value": "destructive",
          "expanded": "Destructive"
        },
        {
          "value": "dropper",
          "expanded": "Dropper"
        }
      ]
    },
    {
      "predicate": "memory-classification",
      "entry": [
        {
          "value": "resident",
          "expanded": "In memory"
        },
        {
          "value": "temporary-resident",
          "expanded": "In memory temporarily"
        },
        {
          "value": "swapping-mode",
          "expanded": "Only a part loaded in memory temporarily"
        },
        {
          "value": "non-resident",
          "expanded": "Not in memory"
        },
        {
          "value": "user-process",
          "expanded": "As a user level process"
        },
        {
          "value": "kernel-process",
          "expanded": "As a process in the kernel"
        }
      ]
    }
  ]
}
first shot of malware classification 2016-02-04 16:48:59 +01:00			`{`
			`"namespace": "malware_classification",`
			`"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",`
Update schema, fix taxonomies accordingly. 2017-02-13 16:39:06 +01:00			`"version": 2,`
first shot of malware classification 2016-02-04 16:48:59 +01:00			`"predicates": [`
			`{`
			`"value": "malware-category",`
			`"expanded": "Malware Category"`
			`},`
			`{`
			`"value": "obfuscation-technique",`
			`"expanded": "Obfuscation Technique"`
			`},`
			`{`
			`"value": "payload-classification",`
			`"expanded": "Payload Classification"`
			`},`
			`{`
			`"value": "memory-classification",`
			`"expanded": "Memory Classification"`
			`}`
			`],`
			`"values": [`
			`{`
			`"predicate": "malware-category",`
			`"entry": [`
			`{`
			`"value": "Virus",`
			`"expanded": "Virus"`
			`},`
			`{`
			`"value": "Worm",`
			`"expanded": "Worm"`
			`},`
			`{`
			`"value": "Trojan",`
			`"expanded": "Trojan"`
			`},`
			`{`
			`"value": "Ransomware",`
			`"expanded": "Ransomware"`
			`},`
			`{`
			`"value": "Rootkit",`
			`"expanded": "Rootkit"`
			`},`
			`{`
			`"value": "Downloader",`
			`"expanded": "Downloader"`
			`},`
			`{`
			`"value": "Adware",`
			`"expanded": "Adware"`
			`},`
			`{`
			`"value": "Spyware",`
			`"expanded": "Spyware"`
add Botnet to malware_classification:malware-category 2016-08-12 10:29:28 +02:00			`},`
			`{`
JQ all the things 2017-02-13 12:02:51 +01:00			`"value": "Botnet",`
			`"expanded": "Botnet"`
first shot of malware classification 2016-02-04 16:48:59 +01:00			`}`
			`]`
			`},`
			`{`
			`"predicate": "obfuscation-technique",`
			`"entry": [`
			`{`
			`"value": "no-obfuscation",`
			`"expanded": "No obfuscation is used"`
			`},`
			`{`
			`"value": "encryption",`
			`"expanded": "encryption"`
			`},`
			`{`
			`"value": "oligomorphism",`
			`"expanded": "oligomorphism"`
			`},`
			`{`
			`"value": "metamorphism",`
			`"expanded": "metamorphism"`
			`},`
			`{`
			`"value": "stealth",`
			`"expanded": "stealth"`
			`},`
			`{`
			`"value": "armouring",`
			`"expanded": "armouring"`
			`},`
			`{`
			`"value": "tunneling",`
			`"expanded": "tunneling"`
			`},`
			`{`
			`"value": "XOR",`
			`"expanded": "XOR"`
			`},`
			`{`
			`"value": "BASE64",`
			`"expanded": "BASE64"`
			`},`
			`{`
			`"value": "ROT13",`
			`"expanded": "ROT13"`
			`}`
			`]`
			`},`
			`{`
			`"predicate": "payload-classification",`
			`"entry": [`
			`{`
			`"value": "no-payload",`
			`"expanded": "No payload"`
			`},`
			`{`
			`"value": "non-destructive",`
			`"expanded": "Non-Destructive"`
			`},`
			`{`
			`"value": "destructive",`
			`"expanded": "Destructive"`
			`},`
			`{`
			`"value": "dropper",`
			`"expanded": "Dropper"`
			`}`
			`]`
			`},`
			`{`
			`"predicate": "memory-classification",`
			`"entry": [`
			`{`
			`"value": "resident",`
			`"expanded": "In memory"`
			`},`
			`{`
			`"value": "temporary-resident",`
			`"expanded": "In memory temporarily"`
			`},`
			`{`
			`"value": "swapping-mode",`
			`"expanded": "Only a part loaded in memory temporarily"`
			`},`
			`{`
			`"value": "non-resident",`
			`"expanded": "Not in memory"`
			`},`
			`{`
			`"value": "user-process",`
			`"expanded": "As a user level process"`
			`},`
			`{`
			`"value": "kernel-process",`
			`"expanded": "As a process in the kernel"`
			`}`
			`]`
			`}`
			`]`
			`}`