From 2c0657fd68c00d16fb6bc87e46316ed09d347675 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 28 Dec 2017 17:35:47 +0100
Subject: [PATCH] new taxonomy runtime-packer added

Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o
bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
---
 MANIFEST.json                  |   7 +-
 README.md                      |   2 +
 runtime-packer/machinetag.json | 126 +++++++++++++++++++++++++++++++++
 3 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100755 runtime-packer/machinetag.json

diff --git a/MANIFEST.json b/MANIFEST.json
index 84f0d17..01139a6 100644
--- a/MANIFEST.json
+++ b/MANIFEST.json
@@ -239,11 +239,16 @@
       "version": 2,
       "name": "workflow",
       "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information."
+    },
+    {
+      "version": 1,
+      "name": "runtime-packer",
+      "description": "Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries."
     }
   ],
   "path": "machinetag.json",
   "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
   "description": "Manifest file of MISP taxonomies available.",
   "license": "CC-0",
-  "version": "20171211"
+  "version": "20171228"
 }
diff --git a/README.md b/README.md
index bbbd2a0..e111527 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,8 @@ The following taxonomies are described:
 - [NATO Classification Marking](./nato)
 - [Open Threat Taxonomy v1.1 (SANS)](./open_threat)
 - [OSINT Open Source Intelligence - Classification](./osint)
+- [runtime-packer](./runtime-packer) - Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o
+bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
 - [STIX-TTP](./stix-ttp) - Represents the behavior or modus operandi of cyber adversaries as normalized in STIX
 - [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware)
 - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)
diff --git a/runtime-packer/machinetag.json b/runtime-packer/machinetag.json
new file mode 100755
index 0000000..dac4ad7
--- /dev/null
+++ b/runtime-packer/machinetag.json
@@ -0,0 +1,126 @@
+{
+  "namespace": "runtime-packer",
+  "description": "Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "portable-executable",
+      "expanded": "Portable Executable (PE)"
+    },
+    {
+      "value": "elf",
+      "expanded": "ELF"
+    },
+    {
+      "value": "cli-assembly",
+      "expanded": "CLI assembly"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "portable-executable",
+      "entry": [
+        {
+          "value": ".netshrink",
+          "expanded": ".netshrink"
+        },
+        {
+          "value": "armadillo",
+          "expanded": "Armadillo"
+        },
+        {
+          "value": "aspack",
+          "expanded": "ASPack"
+        },
+        {
+          "value": "aspr-asprotect",
+          "expanded": "ASPR (ASProtect)"
+        },
+        {
+          "value": "boxedapp-packer",
+          "expanded": "BoxedApp Packer"
+        },
+        {
+          "value": "cexe",
+          "expanded": "CExe"
+        },
+        {
+          "value": "dotbundle",
+          "expanded": "dotBundle"
+        },
+        {
+          "value": "enigma-protector",
+          "expanded": "Enigma Protector"
+        },
+        {
+          "value": "exe-bundle",
+          "expanded": "EXE Bundle"
+        },
+        {
+          "value": "exe-stealth",
+          "expanded": "EXE Stealth"
+        },
+        {
+          "value": "expressor",
+          "expanded": "eXPressor"
+        },
+        {
+          "value": "fsg",
+          "expanded": "FSG"
+        },
+        {
+          "value": "kkrunchy-src",
+          "expanded": "kkrunchy src"
+        },
+        {
+          "value": "mew",
+          "expanded": "MEW"
+        },
+        {
+          "value": "mpress",
+          "expanded": "MPRESS"
+        },
+        {
+          "value": "obsidium",
+          "expanded": "Obsidium"
+        },
+        {
+          "value": "pelock",
+          "expanded": "PELock"
+        },
+        {
+          "value": "pespin",
+          "expanded": "PESpin"
+        },
+        {
+          "value": "petite",
+          "expanded": "Petite"
+        },
+        {
+          "value": "rlpack-basic",
+          "expanded": "RLPack Basic"
+        },
+        {
+          "value": "smart-packer-pro",
+          "expanded": "Smart Packer Pro"
+        },
+        {
+          "value": "themida",
+          "expanded": "Themida"
+        },
+        {
+          "value": "upx",
+          "expanded": "UPX"
+        },
+        {
+          "value": "vmprotect",
+          "expanded": "VMProtect"
+        },
+        {
+          "value": "xcomp-xpack",
+          "expanded": "XComp/XPack"
+        }
+      ]
+    }
+  ]
+}