170 lines
3.6 KiB
JSON
170 lines
3.6 KiB
JSON
{
|
|
"namespace": "malware_classification",
|
|
"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
|
|
"version": 3,
|
|
"predicates": [
|
|
{
|
|
"value": "malware-category",
|
|
"expanded": "Malware Category"
|
|
},
|
|
{
|
|
"value": "obfuscation-technique",
|
|
"expanded": "Obfuscation Technique"
|
|
},
|
|
{
|
|
"value": "payload-classification",
|
|
"expanded": "Payload Classification"
|
|
},
|
|
{
|
|
"value": "memory-classification",
|
|
"expanded": "Memory Classification"
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "malware-category",
|
|
"entry": [
|
|
{
|
|
"value": "Virus",
|
|
"expanded": "Virus"
|
|
},
|
|
{
|
|
"value": "Worm",
|
|
"expanded": "Worm"
|
|
},
|
|
{
|
|
"value": "Trojan",
|
|
"expanded": "Trojan"
|
|
},
|
|
{
|
|
"value": "Ransomware",
|
|
"expanded": "Ransomware"
|
|
},
|
|
{
|
|
"value": "Rootkit",
|
|
"expanded": "Rootkit"
|
|
},
|
|
{
|
|
"value": "Downloader",
|
|
"expanded": "Downloader"
|
|
},
|
|
{
|
|
"value": "Adware",
|
|
"expanded": "Adware"
|
|
},
|
|
{
|
|
"value": "Stalkerware",
|
|
"expanded": "Stalkerware"
|
|
},
|
|
{
|
|
"value": "Spyware",
|
|
"expanded": "Spyware"
|
|
},
|
|
{
|
|
"value": "Zombieware",
|
|
"expanded": "Zombieware"
|
|
},
|
|
{
|
|
"value": "Botnet",
|
|
"expanded": "Botnet"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "obfuscation-technique",
|
|
"entry": [
|
|
{
|
|
"value": "no-obfuscation",
|
|
"expanded": "No obfuscation is used"
|
|
},
|
|
{
|
|
"value": "encryption",
|
|
"expanded": "encryption"
|
|
},
|
|
{
|
|
"value": "oligomorphism",
|
|
"expanded": "oligomorphism"
|
|
},
|
|
{
|
|
"value": "metamorphism",
|
|
"expanded": "metamorphism"
|
|
},
|
|
{
|
|
"value": "stealth",
|
|
"expanded": "stealth"
|
|
},
|
|
{
|
|
"value": "armouring",
|
|
"expanded": "armouring"
|
|
},
|
|
{
|
|
"value": "tunneling",
|
|
"expanded": "tunneling"
|
|
},
|
|
{
|
|
"value": "XOR",
|
|
"expanded": "XOR"
|
|
},
|
|
{
|
|
"value": "BASE64",
|
|
"expanded": "BASE64"
|
|
},
|
|
{
|
|
"value": "ROT13",
|
|
"expanded": "ROT13"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "payload-classification",
|
|
"entry": [
|
|
{
|
|
"value": "no-payload",
|
|
"expanded": "No payload"
|
|
},
|
|
{
|
|
"value": "non-destructive",
|
|
"expanded": "Non-Destructive"
|
|
},
|
|
{
|
|
"value": "destructive",
|
|
"expanded": "Destructive"
|
|
},
|
|
{
|
|
"value": "dropper",
|
|
"expanded": "Dropper"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "memory-classification",
|
|
"entry": [
|
|
{
|
|
"value": "resident",
|
|
"expanded": "In memory"
|
|
},
|
|
{
|
|
"value": "temporary-resident",
|
|
"expanded": "In memory temporarily"
|
|
},
|
|
{
|
|
"value": "swapping-mode",
|
|
"expanded": "Only a part loaded in memory temporarily"
|
|
},
|
|
{
|
|
"value": "non-resident",
|
|
"expanded": "Not in memory"
|
|
},
|
|
{
|
|
"value": "user-process",
|
|
"expanded": "As a user level process"
|
|
},
|
|
{
|
|
"value": "kernel-process",
|
|
"expanded": "As a process in the kernel"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|