new taxonomy runtime-packer added

Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
2017-12-28 17:35:47 +01:00 · 2017-12-28 17:35:47 +01:00 · 2c0657fd68
parent ecd5f9b72d
commit 2c0657fd68
3 changed files with 134 additions and 1 deletions
--- a/MANIFEST.json
+++ b/MANIFEST.json
@ -239,11 +239,16 @@
      "version": 2,
      "name": "workflow",
      "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information."
+    },
+    {
+      "version": 1,
+      "name": "runtime-packer",
+      "description": "Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries."
    }
  ],
  "path": "machinetag.json",
  "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
  "description": "Manifest file of MISP taxonomies available.",
  "license": "CC-0",
-  "version": "20171211"
+  "version": "20171228"
 }
--- a/README.md
+++ b/README.md
@ -37,6 +37,8 @@ The following taxonomies are described:
 - [NATO Classification Marking](./nato)
 - [Open Threat Taxonomy v1.1 (SANS)](./open_threat)
 - [OSINT Open Source Intelligence - Classification](./osint)
+- [runtime-packer](./runtime-packer) - Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o
+bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
 - [STIX-TTP](./stix-ttp) - Represents the behavior or modus operandi of cyber adversaries as normalized in STIX
 - [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware)
 - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)
--- a/runtime-packer/machinetag.json
+++ b/runtime-packer/machinetag.json
@ -0,0 +1,126 @@
+{
+  "namespace": "runtime-packer",
+  "description": "Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "portable-executable",
+      "expanded": "Portable Executable (PE)"
+    },
+    {
+      "value": "elf",
+      "expanded": "ELF"
+    },
+    {
+      "value": "cli-assembly",
+      "expanded": "CLI assembly"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "portable-executable",
+      "entry": [
+        {
+          "value": ".netshrink",
+          "expanded": ".netshrink"
+        },
+        {
+          "value": "armadillo",
+          "expanded": "Armadillo"
+        },
+        {
+          "value": "aspack",
+          "expanded": "ASPack"
+        },
+        {
+          "value": "aspr-asprotect",
+          "expanded": "ASPR (ASProtect)"
+        },
+        {
+          "value": "boxedapp-packer",
+          "expanded": "BoxedApp Packer"
+        },
+        {
+          "value": "cexe",
+          "expanded": "CExe"
+        },
+        {
+          "value": "dotbundle",
+          "expanded": "dotBundle"
+        },
+        {
+          "value": "enigma-protector",
+          "expanded": "Enigma Protector"
+        },
+        {
+          "value": "exe-bundle",
+          "expanded": "EXE Bundle"
+        },
+        {
+          "value": "exe-stealth",
+          "expanded": "EXE Stealth"
+        },
+        {
+          "value": "expressor",
+          "expanded": "eXPressor"
+        },
+        {
+          "value": "fsg",
+          "expanded": "FSG"
+        },
+        {
+          "value": "kkrunchy-src",
+          "expanded": "kkrunchy src"
+        },
+        {
+          "value": "mew",
+          "expanded": "MEW"
+        },
+        {
+          "value": "mpress",
+          "expanded": "MPRESS"
+        },
+        {
+          "value": "obsidium",
+          "expanded": "Obsidium"
+        },
+        {
+          "value": "pelock",
+          "expanded": "PELock"
+        },
+        {
+          "value": "pespin",
+          "expanded": "PESpin"
+        },
+        {
+          "value": "petite",
+          "expanded": "Petite"
+        },
+        {
+          "value": "rlpack-basic",
+          "expanded": "RLPack Basic"
+        },
+        {
+          "value": "smart-packer-pro",
+          "expanded": "Smart Packer Pro"
+        },
+        {
+          "value": "themida",
+          "expanded": "Themida"
+        },
+        {
+          "value": "upx",
+          "expanded": "UPX"
+        },
+        {
+          "value": "vmprotect",
+          "expanded": "VMProtect"
+        },
+        {
+          "value": "xcomp-xpack",
+          "expanded": "XComp/XPack"
+        }
+      ]
+    }
+  ]
+}