From 015194e09bd2c1d3b1f5a0e85a65e19a8457d229 Mon Sep 17 00:00:00 2001
From: deralexxx <mail@alexanderjaeger.de>
Date: Thu, 4 Feb 2016 16:48:59 +0100
Subject: [PATCH] first shot of malware classification

---
 malware/README.md       |  82 ++++++++++++++++++++
 malware/machinetag.json | 162 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 244 insertions(+)
 create mode 100644 malware/README.md
 create mode 100644 malware/machinetag.json

diff --git a/malware/README.md b/malware/README.md
new file mode 100644
index 0000000..2beea3e
--- /dev/null
+++ b/malware/README.md
@@ -0,0 +1,82 @@
+# Malware Classification
+
+## Malware Categories
+
+All malware samples should be classified into one of the categories listed in the table below. 
+
+<dl>
+<dt>Virus</dt>
+<dd><dd>
+
+<dt>Worm</dt>
+<dd><dd>
+
+<dt>Trojan</dt>
+<dd><dd>
+
+<dt>Ransomware</dt>
+<dd><dd>
+
+<dt>Rootkit</dt>
+<dd><dd>
+
+<dt>Downloader</dt>
+<dd><dd>
+
+<dt>Adware</dt>
+<dd><dd>
+
+<dt>Spyware</dt>
+<dd><dd>
+
+</dl>
+
+## Obfuscation Classification
+
+All malware samples should be classified into one of the categories listed in the table below. 
+
+<dl>
+<dt>no-obfuscation</dt>
+<dd>No obfuscation is used<dd>
+<dt>encryption</dt>
+<dd>encryption<dd>
+<dt>oligomorphism</dt>
+<dd>oligomorphism<dd>
+<dt>metamorphism</dt>
+<dd>metamorphism<dd>
+<dt>stealth</dt>
+<dd>stealth<dd>
+<dt>armouring</dt>
+<dd>armouring<dd>
+<dt>encryption</dt>
+<dd>encryption<dd>
+<dt>tunneling</dt>
+<dd>tunneling<dd>
+<dt>XOR</dt>
+<dd>XOR<dd>
+<dt>BASE64</dt>
+<dd>BASE64<dd>
+<dt>ROT13</dt>
+<dd>ROT13<dd>
+</dl>
+## Payload Classification
+
+
+## Memory Classification
+
+
+# Machine-parsable Malware Classification
+
+The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
+along with their human-readable description. The software can use both
+representation on the user-interface and store the tag as machine-parsable.
+
+~~~~
+malware_classification:malware-category="virus"
+~~~~
+
+Based on:
+
+https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848
+
+
diff --git a/malware/machinetag.json b/malware/machinetag.json
new file mode 100644
index 0000000..e4bf3a6
--- /dev/null
+++ b/malware/machinetag.json
@@ -0,0 +1,162 @@
+{
+  "namespace": "malware_classification",
+  "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "malware-category",
+      "expanded": "Malware Category"
+    },
+    {
+      "value": "obfuscation-technique",
+      "expanded": "Obfuscation Technique"
+    },
+    {
+      "value": "payload-classification",
+      "expanded": "Payload Classification"
+    },
+    {
+      "value": "memory-classification",
+      "expanded": "Memory Classification"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "malware-category",
+      "entry": [
+        {
+          "value": "Virus",
+          "expanded": "Virus"
+        },
+        {
+          "value": "Worm",
+          "expanded": "Worm"
+        },
+        {
+          "value": "Trojan",
+          "expanded": "Trojan"
+        },
+        {
+          "value": "Ransomware",
+          "expanded": "Ransomware"
+        },
+        {
+          "value": "Rootkit",
+          "expanded": "Rootkit"
+        },
+        {
+          "value": "Downloader",
+          "expanded": "Downloader"
+        },
+        {
+          "value": "Adware",
+          "expanded": "Adware"
+        },
+        {
+          "value": "Spyware",
+          "expanded": "Spyware"
+        }
+      ]
+    },
+    {
+      "predicate": "obfuscation-technique",
+      "entry": [
+        {
+          "value": "no-obfuscation",
+          "expanded": "No obfuscation is used"
+        },
+        {
+          "value": "encryption",
+          "expanded": "encryption"
+        },
+        {
+          "value": "oligomorphism",
+          "expanded": "oligomorphism"
+        },
+        {
+          "value": "metamorphism",
+          "expanded": "metamorphism"
+        },
+        {
+          "value": "stealth",
+          "expanded": "stealth"
+        },
+        {
+          "value": "armouring",
+          "expanded": "armouring"
+        },
+        {
+          "value": "encryption",
+          "expanded": "encryption"
+        },
+        {
+          "value": "tunneling",
+          "expanded": "tunneling"
+        },
+        {
+          "value": "XOR",
+          "expanded": "XOR"
+        },
+        {
+          "value": "BASE64",
+          "expanded": "BASE64"
+        },
+        {
+          "value": "ROT13",
+          "expanded": "ROT13"
+        }
+      ]
+    },
+    {
+      "predicate": "payload-classification",
+      "entry": [
+        {
+          "value": "no-payload",
+          "expanded": "No payload"
+        },
+        {
+          "value": "non-destructive",
+          "expanded": "Non-Destructive"
+        },
+        {
+          "value": "destructive",
+          "expanded": "Destructive"
+        },
+        {
+          "value": "dropper",
+          "expanded": "Dropper"
+        }
+      ]
+    },
+    {
+      "predicate": "memory-classification",
+      "entry": [
+        {
+          "value": "resident",
+          "expanded": "In memory"
+        },
+        {
+          "value": "temporary-resident",
+          "expanded": "In memory temporarily"
+        },
+        {
+          "value": "swapping-mode",
+          "expanded": "Only a part loaded in memory temporarily"
+        },
+        {
+          "value": "non-resident",
+          "expanded": "Not in memory"
+        },
+        {
+          "value": "user-process",
+          "expanded": "As a user level process"
+        },
+        {
+          "value": "kernel-process",
+          "expanded": "As a process in the kernel"
+        }
+      ]
+    }
+  ]
+}
+