{
  "namespace": "malware_classification",
  "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
  "version": 2,
  "predicates": [
    {
      "value": "malware-category",
      "expanded": "Malware Category"
    },
    {
      "value": "obfuscation-technique",
      "expanded": "Obfuscation Technique"
    },
    {
      "value": "payload-classification",
      "expanded": "Payload Classification"
    },
    {
      "value": "memory-classification",
      "expanded": "Memory Classification"
    }
  ],
  "values": [
    {
      "predicate": "malware-category",
      "entry": [
        {
          "value": "Virus",
          "expanded": "Virus"
        },
        {
          "value": "Worm",
          "expanded": "Worm"
        },
        {
          "value": "Trojan",
          "expanded": "Trojan"
        },
        {
          "value": "Ransomware",
          "expanded": "Ransomware"
        },
        {
          "value": "Rootkit",
          "expanded": "Rootkit"
        },
        {
          "value": "Downloader",
          "expanded": "Downloader"
        },
        {
          "value": "Adware",
          "expanded": "Adware"
        },
        {
          "value": "Spyware",
          "expanded": "Spyware"
        },
        {
          "value": "Botnet",
          "expanded": "Botnet"
        }
      ]
    },
    {
      "predicate": "obfuscation-technique",
      "entry": [
        {
          "value": "no-obfuscation",
          "expanded": "No obfuscation is used"
        },
        {
          "value": "encryption",
          "expanded": "encryption"
        },
        {
          "value": "oligomorphism",
          "expanded": "oligomorphism"
        },
        {
          "value": "metamorphism",
          "expanded": "metamorphism"
        },
        {
          "value": "stealth",
          "expanded": "stealth"
        },
        {
          "value": "armouring",
          "expanded": "armouring"
        },
        {
          "value": "tunneling",
          "expanded": "tunneling"
        },
        {
          "value": "XOR",
          "expanded": "XOR"
        },
        {
          "value": "BASE64",
          "expanded": "BASE64"
        },
        {
          "value": "ROT13",
          "expanded": "ROT13"
        }
      ]
    },
    {
      "predicate": "payload-classification",
      "entry": [
        {
          "value": "no-payload",
          "expanded": "No payload"
        },
        {
          "value": "non-destructive",
          "expanded": "Non-Destructive"
        },
        {
          "value": "destructive",
          "expanded": "Destructive"
        },
        {
          "value": "dropper",
          "expanded": "Dropper"
        }
      ]
    },
    {
      "predicate": "memory-classification",
      "entry": [
        {
          "value": "resident",
          "expanded": "In memory"
        },
        {
          "value": "temporary-resident",
          "expanded": "In memory temporarily"
        },
        {
          "value": "swapping-mode",
          "expanded": "Only a part loaded in memory temporarily"
        },
        {
          "value": "non-resident",
          "expanded": "Not in memory"
        },
        {
          "value": "user-process",
          "expanded": "As a user level process"
        },
        {
          "value": "kernel-process",
          "expanded": "As a process in the kernel"
        }
      ]
    }
  ]
}