From 755cfb4169670d306773b6ec69797cb79a41683c Mon Sep 17 00:00:00 2001 From: makflwana Date: Thu, 24 May 2018 23:10:32 +1000 Subject: [PATCH] MAEC 5.0 Malware obfuscation methods --- .../machinetag.json | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 maec-malware-obfuscation-methods/machinetag.json diff --git a/maec-malware-obfuscation-methods/machinetag.json b/maec-malware-obfuscation-methods/machinetag.json new file mode 100644 index 0000000..8d7d1dd --- /dev/null +++ b/maec-malware-obfuscation-methods/machinetag.json @@ -0,0 +1,66 @@ +{ + "namespace": "MAEC Obfuscation methods", + "description": "Obfuscation methods used by malware based on MAEC 5.0", + "version": 1, + "predicates": [ + { + "value": "maec-obfuscation-methods", + "expanded": "MAEC Obfuscation methods" + } + ], + "values": [ + { + "predicate": "maec-obfuscation-methods", + "entry": [ + { + "value": "packing", + "expanded": "packing" + }, + { + "value": "code-encryption", + "expanded": "code-encryption" + }, + { + "value": "dead-code-insertion", + "expanded": "dead-code-insertion" + }, + { + "value": "entry-point-obfuscation", + "expanded": "entry-point-obfuscation" + }, + { + "value": "import-address-table-obfuscation", + "expanded": "import-address-table-obfuscation" + }, + { + "value": "interleaving-code", + "expanded": "interleaving-code" + }, + { + "value": "symbolic-obfuscation", + "expanded": "symbolic-obfuscation" + }, + { + "value": "string-obfuscation", + "expanded": "string-obfuscation" + }, + { + "value": "subroutine-reordering", + "expanded": "subroutine-reordering" + }, + { + "value": "code-transposition", + "expanded": "code-transposition" + }, + { + "value": "instruction-substitution", + "expanded": "instruction-substitution" + }, + { + "value": "register-reassignment", + "expanded": "register-reassignment" + } + ], + } + ] +}