├── .gitignore ├── README.md ├── analysis-metadata.json ├── api-call.json ├── behavior.json ├── binary-obfuscation.json ├── capability.json ├── collection.json ├── dynamic-features.json ├── examples ├── artifact_example.json ├── av_classifications_example.json ├── dynamic_triage_tool_output.json ├── in_depth_analysis.json ├── maec_related_malware.json ├── malicious_webpage_example.json ├── network_behavior_example.json ├── object_reuse_example.json ├── package_action_equivalency_example.json ├── package_capability.json ├── package_capability_example_snifula.json ├── package_clustering_example.json ├── package_configuration_parameters_example.json ├── package_development_environment_example.json ├── package_dynamic_triage_example.json ├── package_manual_analysis_example.json ├── package_multi_partite_malware_example.json ├── package_multiple_analysis_example.json ├── package_polymorphic_family_example.json ├── static_triage_example.json ├── vt-to-maec-output-1.json ├── vt-to-maec-output-2.json ├── vt-to-maec-output-3.json └── vt-to-maec-output-4.json ├── external-reference.json ├── field-data.json ├── malware-action.json ├── malware-development-environment.json ├── malware-family.json ├── malware-instance.json ├── name.json ├── package.json ├── process-tree-node.json ├── relationship-distance.json ├── relationship.json ├── signature-metadata.json ├── static-features.json ├── vocabs.json └── x-maec-avclass.json /.gitignore: -------------------------------------------------------------------------------- 1 | # OS X 2 | .DS_Store 3 | .AppleDouble 4 | .LSOverride 5 | Icon 6 | 7 | 8 | # Thumbnails 9 | ._* 10 | 11 | # Files that might appear on external disk 12 | .Spotlight-V100 13 | .Trashes 14 | 15 | # Python 16 | *.py[cod] 17 | 18 | # C extensions 19 | *.so 20 | 21 | # Packages 22 | *.egg 23 | *.egg-info 24 | dist 25 | build 26 | eggs 27 | parts 28 | bin 29 | var 30 | sdist 31 | develop-eggs 32 | .installed.cfg 33 | lib 34 | lib64 35 | __pycache__ 36 | 37 | # Installer logs 38 | pip-log.txt 39 | 40 | # Unit test / coverage reports 41 | .coverage 42 | .tox 43 | nosetests.xml 44 | 45 | # Translations 46 | *.mo 47 | 48 | # Mr Developer 49 | .mr.developer.cfg 50 | .project 51 | .pydevproject 52 | 53 | # Ruby 54 | *.gem 55 | *.rbc 56 | .bundle 57 | .config 58 | coverage 59 | InstalledFiles 60 | lib/bundler/man 61 | pkg 62 | rdoc 63 | spec/reports 64 | test/tmp 65 | test/version_tmp 66 | tmp 67 | 68 | # YARD artifacts 69 | .yardoc 70 | _yardoc 71 | doc/ 72 | *.rbc 73 | *.sassc 74 | .sass-cache 75 | capybara-*.html 76 | .rspec 77 | .rvmrc 78 | /.bundle 79 | /vendor/bundle 80 | /log/* 81 | /tmp/* 82 | /db/*.sqlite3 83 | /public/system/* 84 | /coverage/ 85 | /spec/tmp/* 86 | **.orig 87 | rerun.txt 88 | pickle-email-*.html 89 | .project 90 | config/initializers/secret_token.rb 91 | 92 | # Node 93 | lib-cov 94 | *.seed 95 | *.log 96 | *.csv 97 | *.dat 98 | *.out 99 | *.pid 100 | *.gz 101 | 102 | pids 103 | logs 104 | results 105 | 106 | npm-debug.log 107 | node_modules 108 | 109 | # ActionScript 110 | # Build and Release Folders 111 | bin/ 112 | bin-debug/ 113 | bin-release/ 114 | 115 | # Other files and folders 116 | .settings/ 117 | 118 | # Project files, i.e. `.project`, `.actionScriptProperties` and `.flexProperties` 119 | # should NOT be excluded as they contain compiler settings and other important 120 | # information for Eclipse / Flash Builder. 121 | 122 | # Django 123 | *.log 124 | *.pot 125 | *.pyc 126 | local_settings.py 127 | 128 | # ZSH 129 | locals.zsh 130 | 131 | # Custom 132 | validateJSON.py 133 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | MAEC Schemas 2 | ============ 3 | 4 | This repository is intended for storing the MAEC schemas, including those we're presently working on. 5 | 6 | The current version stored is MAEC 5.0, with the previous MAEC 4.1 (XML) release available via the 'v4.1-release' tag. 7 | 8 | ## About MAEC 9 | 10 | Malware Attribute Enumeration and Characterization (MAEC™) is a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. 11 | 12 | The goal of the MAEC (pronounced "mike") effort is to provide a basis for transforming malware research and response. MAEC aims to eliminate the ambiguity and inaccuracy that currently exists in malware descriptions and to reduce reliance on signatures. In this way, MAEC seeks to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. The MAEC Language enables correlation, integration, and automation. 13 | 14 | Please visit the [MAEC website](http://maecproject.github.io/) for more information about the MAEC Language. 15 | 16 | ## Getting Help 17 | 18 | Join the public [MAEC Community Email Discussion List](https://maec.mitre.org/community/discussionlist.html). 19 | 20 | Email the MAEC Developers at maec@mitre.org. 21 | -------------------------------------------------------------------------------- /analysis-metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "analysis-metadata": { 5 | "title": "Analysis", 6 | "type": "object", 7 | "description": "Captures metadata associated with the analyses of a malware instance, such as the tools used, analysts, and other data.", 8 | "properties": { 9 | "is_automated": { 10 | "type": "boolean", 11 | "description": "Captures whether the analysis was completely automated (i.e., with no human analyst in the loop). If this property is set to true, the analysts property MUST NOT be included." 12 | }, 13 | "start_time": { 14 | "type": "string", 15 | "format": "date-time", 16 | "description": "Captures the date/time that the analysis was started." 17 | }, 18 | "end_time": { 19 | "type": "string", 20 | "format": "date-time", 21 | "description": "Captures the date/time that the analysis was completed." 22 | }, 23 | "last_update_time": { 24 | "type": "string", 25 | "format": "date-time", 26 | "description": "Captures the date/time that the analysis was last updated." 27 | }, 28 | "confidence": { 29 | "type": "string", 30 | "description": "Captures the relative measure of confidence in the accuracy of the analysis results. The value for this property SHOULD come from the confidence-measure-ov vocabulary." 31 | }, 32 | "analysts": { 33 | "type": "array", 34 | "items": {"type": "string"}, 35 | "description": "Captures the names of analysts who performed the analysis." 36 | }, 37 | "analysis_type": { 38 | "type": "string", 39 | "description": "Captures the type of analysis performed. The value for this property SHOULD come from the analysis-type-ov vocabulary." 40 | }, 41 | "comments": { 42 | "type": "array", 43 | "items": {"type": "string"}, 44 | "description": "Captures comments regarding the analysis that was performed. A comment SHOULD be attributable to a specific analyst and SHOULD reflect particular insights of the author that are significant from an analysis standpoint." 45 | }, 46 | "tool_refs": { 47 | "type": "array", 48 | "items": {"type": "string"}, 49 | "description": "References the tools used in the analysis of a Malware Instance. The objects reference MUST be of STIX type software and MUST be specified in the observable-objects property of the Package." 50 | }, 51 | "analysis_environment": { 52 | "type": "object", 53 | "description": "Captures any metadata, such as the host virtual machine, associated with the analysis environment used to perform the dynamic analysis of the Malware Instance. Each key in the dictionary SHOULD come from the analysis-environment-ov, and each corresponding key value SHOULD be a valid object-ref or list of object-ref. This property MUST NOT be included if analysis_type is set to a value of static." 54 | }, 55 | "description": { 56 | "type": "string", 57 | "description": "Captures a textual description of the analysis that was performed." 58 | }, 59 | "conclusions": { 60 | "type": "array", 61 | "items": {"type": "string"}, 62 | "description": "Captures analysis conclusions, such as whether the binary was found to be malicious. The value for this property SHOULD come from the analysis-conclusion-type-ov vocabulary." 63 | }, 64 | "references": { 65 | "type": "array", 66 | "items": {"$ref": "external-reference.json#/definitions/external-reference"}, 67 | "description": "Captures any references to reports or other data sources pertaining to the analysis." 68 | } 69 | }, 70 | "required":[ 71 | "is_automated", 72 | "analysis_type" 73 | ] 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /api-call.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "api-call": { 5 | "title": "APICall", 6 | "type": "object", 7 | "description": "Serves as a method for characterizing API Calls, as implementations of Malware Actions.", 8 | "properties": { 9 | "address" : { 10 | "type": "string", 11 | "description": "Captures the hexadecimal address of the API call in the binary." 12 | }, 13 | "return_value": { 14 | "type": "string", 15 | "description": "Captures the return value of the API call." 16 | }, 17 | "parameters": { 18 | "type": "object", 19 | "description": "Captures a list of function parameters. Each key in the dictionary MUST be a string that captures the exact name of the parameter, and each corresponding key value MUST be a string that captures the corresponding parameter value.For parameter values that can be represented by a constant, e.g., GENERIC_WRITE, the constant rather than the literal SHOULD be used. For cases where the parameter cannot be represented by a constant, the literal (as reported by the tool, etc.) MUST be used." 20 | }, 21 | "function_name": { 22 | "type": "string", 23 | "description": "Captures the exact name of the API function called, e.g. CreateFileEx" 24 | } 25 | }, 26 | "required":["function_name"] 27 | } 28 | } 29 | } -------------------------------------------------------------------------------- /behavior.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "behavior": { 5 | "title": "Behavior", 6 | "type": "object", 7 | "description": "A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor. Behaviors may be composed of one or more Malware Actions, thereby providing context to these Actions.", 8 | "properties": { 9 | "type": { 10 | "type": "string", 11 | "enum": ["behavior"] 12 | }, 13 | "id": { 14 | "type": "string", 15 | "description": "Specifies a unique ID for this Behavior." 16 | }, 17 | "name": { 18 | "type": "string", 19 | "description": "Captures the name of the Behavior. The values for this property SHOULD come from the behavior-ov open vocabulary." 20 | }, 21 | "description": { 22 | "type": "string", 23 | "description": "Specifies a textual description of the Behavior." 24 | }, 25 | "timestamp": { 26 | "type": "string", 27 | "format": "date-time", 28 | "description": "Captures the local or relative time at which the Behavior occured or was observed." 29 | }, 30 | "attributes": { 31 | "type": "object", 32 | "description": "Captures attributes of the Behavior as name/value pairs. Dictionary keys used in this property SHOULD come from the common-attribute-ov vocabulary. The corresponding values for the keys SHOULD come from the platform-ov and encryption-algorithm-ov vocabularies." 33 | }, 34 | "action_refs": { 35 | "type": "array", 36 | "items": {"type": "string"}, 37 | "description": "Captures Actions that serve as an implementation of the Behavior. Each list item specifies the unique ID of the Action being referenced. The Action MUST be present in the current Package. The ordering of the references in the list denotes the sequential ordering of the Actions with respect to the Behavior; that is, Actions at the beginning of the list MUST have occurred before those later in the list." 38 | }, 39 | "technique_refs": { 40 | "type": "array", 41 | "items": {"$ref": "external-reference.json#/definitions/external-reference"}, 42 | "description": "References any techniques, such as DLL Search Order Hijacking, used to implement the Behavior. Each reference SHOULD point to a valid ATT&CK Technique or related entity." 43 | } 44 | }, 45 | "required": [ 46 | "id", 47 | "type", 48 | "name" 49 | ] 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /binary-obfuscation.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "binary-obfuscation": { 5 | "title": "BinaryObfuscation", 6 | "type": "object", 7 | "description": "Extension that captures metadata on the methods that a binary may be obfuscated with, such as executable packers or XOR encryption. This includes obfuscation of the entire binary as well as its constituent pieces, such as strings.", 8 | "properties": { 9 | "method": { 10 | "type": "string", 11 | "description": "Captures the method used in obfuscating the binary. The value for this property SHOULD come from the obfuscation-method-ov vocabulary." 12 | }, 13 | "layer_order": { 14 | "type": "integer", 15 | "description": "Captures the ordering of the obfuscation method with respect to other obfuscation methods (if known), as a positive integer. For example, if a binary was packed and then XOR encrypted, the packing layer would have an ordering of \"1\" and the XOR encryption layer would have an ordering of \"2\"." 16 | }, 17 | "encryption_algorithm": { 18 | "type": "string", 19 | "description": "Captures the name of the encryption algorithm used by the obfuscation method (if applicable). The values for this property SHOULD come from the STIX encryption-algo-ov vocabulary." 20 | }, 21 | "packer_name": { 22 | "type": "string", 23 | "description": "Specifies the name of the packer (if applicable)." 24 | }, 25 | "packer_version": { 26 | "type": "string", 27 | "description": "Specifies the version of the packer (if applicable)." 28 | }, 29 | "packer_entry_point": { 30 | "type": "string", 31 | "description": "Specifies the entry point address of the packer (if applicable); in hexadecimal." 32 | }, 33 | "packer_signature": { 34 | "type": "string", 35 | "description": "Specifies the matching signature detected for the packer (if applicable)." 36 | } 37 | }, 38 | "required": ["method"] 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /capability.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "capability": { 5 | "title": "Capability", 6 | "type": "object", 7 | "description": "Captures details of a Capability that may be implemented in the malware instance.", 8 | "properties": { 9 | "name": { 10 | "type": "string", 11 | "description": "Captures the name of the Capability. The values for this property SHOULD come from the capability-ov vocabulary. When used as part of a refined Capability, the values for this property SHOULD come from the refined-capability-ov vocabulary." 12 | }, 13 | "refined_capabilities": { 14 | "type": "array", 15 | "items": {"$ref": "#/definitions/capability"}, 16 | "description": "Captures a refinement of the Capability, recursively using CapabilityType." 17 | }, 18 | "description": { 19 | "type": "string", 20 | "description": "Captures a textual description of the Capability." 21 | }, 22 | "attributes": { 23 | "type": "object", 24 | "description": "Captures attributes of the Capability as key/value pairs. Each key in the dictionary MUST be a string that captures the name of the attribute and SHOULD come from the common-attribute-ov vocabulary. Each corresponding key value MUST be a string or list of strings that captures the corresponding attribute values." 25 | }, 26 | "behavior_refs": { 27 | "type": "array", 28 | "items": {"type": "string"}, 29 | "description": "Captures the IDs of Behaviors that implement the Capability. The Behavior MUST be present in the current Package." 30 | }, 31 | "references": { 32 | "type": "array", 33 | "items": {"$ref": "external-reference.json#/definitions/external-reference"}, 34 | "description": "Captures external references to ATT&CK Tactics and other entities that may be associated with the Capability. " 35 | } 36 | }, 37 | "required": ["name"] 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /collection.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": {"collection": { 4 | "title":"Collection", 5 | "type": "object", 6 | "description": "Captures collections of any MAEC entities, including Malware Instances, Behaviors, etc.", 7 | "properties": { 8 | "type": { 9 | "type": "string", 10 | "enum": ["collection"] 11 | }, 12 | "id": { 13 | "type": "string", 14 | "description": "Specifies a unique ID for this Collection." 15 | }, 16 | "description": { 17 | "type": "string", 18 | "description": "Specifies a textual description of the Collection." 19 | }, 20 | "association_type": { 21 | "type":"string", 22 | "description": "Specifies how the contents of the Collection are associated. The values for this property SHOULD come from the entity-association-ov vocabulary." 23 | }, 24 | "entity_refs": { 25 | "type": "array", 26 | "items": {"type": "string"}, 27 | "description": "Specifies a set of one or more MAEC entities that are contained in the Collection. Each item specifies the unique ID of the entity being referenced. All entities MUST be present in the current Package. This property is mutually exclusive with regard to the observable_refs property and both properties MUST NOT be present in the same Collection." 28 | }, 29 | "observable_refs":{ 30 | "type": "array", 31 | "items": {"type": "string"}, 32 | "description": "Specifies a set of one or more STIX Cyber Observable Objects that are contained in the Collection. This property is mutually exclusive with regard to the entity_refs property and both properties MUST NOT be present in the same Collection." 33 | } 34 | }, 35 | "required": [ 36 | "type", 37 | "id", 38 | "association_type" 39 | ], 40 | "oneOf": [ 41 | {"required": ["entity_refs"]}, 42 | {"required": ["observable_refs"]} 43 | ] 44 | }} 45 | } 46 | -------------------------------------------------------------------------------- /dynamic-features.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "dynamic-features": { 5 | "title": "DynamicFeatures", 6 | "type": "object", 7 | "description": "Captures the dynamic features, i.e., those that are associated with the semantics of the executed code, of a malware instance. At least one of the \"behavior_refs\" or \"action_refs\" or \"process_trees\" MUST be inlcuded when using this type.", 8 | "properties": { 9 | "behavior_refs": { 10 | "type": "array", 11 | "items": {"type": "string"}, 12 | "description": "Captures the IDs of Behaviors exhibited by the Malware Instance." 13 | }, 14 | "action_refs": { 15 | "type": "array", 16 | "items": {"type": "string"}, 17 | "description": "Captures the IDs of Actions discovered for the Malware Instance. This property is intended for capturing Actions that are discovered through static analysis, reverse engineering, or other methods and therefore MUST NOT be used to reference any of the Actions that are included in the process_tree property. As such, the Actions referenced by this property are mutually exclusive with respect to the Actions referenced by the process_tree property." 18 | }, 19 | "process_tree":{ 20 | "type": "array", 21 | "items": {"$ref": "process-tree-node.json#/definitions/process-tree-node"}, 22 | "description": "Captures the Process Tree observed during the execution of the Malware Instance. This property may also capture Actions that are executed by a process and captured by dynamic analysis/sandboxing and therefore MUST NOT be used to reference any of the Actions that are included in the action_refs property. That is to say, the Actions referenced by this property are mutually exclusive with respect to the Actions referenced by the action_refs property." 23 | } 24 | }, 25 | "anyOf": [ 26 | {"required": ["behavior_refs"]}, 27 | {"required": ["action_refs"]}, 28 | {"required": ["process_tree"]} 29 | ] 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /examples/artifact_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--8b528c58-4ce6-446a-bf18-9a3e4a1425cc", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--9b947fbc-68da-43ee-a323-125e3f8cd64a", 9 | "instance_object_refs": ["0"], 10 | "dynamic_features": { 11 | "network_traffic_refs": ["1"] 12 | } 13 | } 14 | ], 15 | "observable_objects": { 16 | "0": { 17 | "type": "file", 18 | "size": 24840, 19 | "hashes": { 20 | "MD5": "3d23ec8b55840b95ea75197ce9446b6d", 21 | "SHA-1": "272ce73adebba81983abbbf112155e463951d046" 22 | } 23 | }, 24 | "1": { 25 | "type": "network-traffic", 26 | "src_payload_ref": "2", 27 | "src_ref": "3", 28 | "dst_ref": "4", 29 | "protocols": [ 30 | "tcp" 31 | ] 32 | }, 33 | "2": { 34 | "type": "artifact", 35 | "payload_bin": "Ed8BAAABAAAAAAAABXlhaG9vA2NvbQAADwABABHfgYAAAQAHAAcADgV5YWhvbwNjb20AAA8AAcAMAA8AAQAAHCAADgABAWECbXgEbWFpbMAMwAwADwABAAAcIAAGAAEBYsArwAwADwABAAAcIAAGAAEBY8ArwAwADwABAAAcIAAGAAEBZMArwAwADwABAAAcIAAGAAEBZcArwAwADwABAAAcIAAGAAEBZsArwAwADwABAAAcIAAGAAEBZ8ArwAwAAgABAAFqsQAGA25zNsAMwAwAAgABAAFqsQAGA25zOMAMwAwAAgABAAFqsQAGA25zMcAMwAwAAgABAAFqsQAGA25zMsAMwAwAAgABAAFqsQAGA25zM8AMwAwAAgABAAFqsQAGA25zNMAMwAwAAgABAAFqsQAGA25zNcAMwCkAAQABAAAHCAAEQ8OoH8BDAAEAAQAABwgABELEYfrAVQABAAEAAAcIAATYJzUCwFUAAQABAAAHCAAE2Cc1A8BnAAEAAQAABwgABELEUgfAeQABAAEAAAcIAATYJzUBwIsAAQABAAAHCAAERI7K98CLAAEAAQAABwgABGKJNu3AnQABAAEAAAcIAATOvjW/wJ0AAQABAAAHCAAE0b92Z8DRAAEAAQABYxIABES0gxDA4wABAAEAAWMSAAREjv8QwPUAAQABAAFjEgAEeWWYY8EHAAEAAQABYxIABESOxD8=" 36 | }, 37 | "3": { 38 | "type": "ipv4-addr", 39 | "spec_version": "2.1", 40 | "value": "198.51.100.5" 41 | }, 42 | "4": { 43 | "type": "ipv4-addr", 44 | "spec_version": "2.1", 45 | "value": "198.51.100.9" 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /examples/av_classifications_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--3d92431d-ff62-45b0-9134-f1d3911d27c7", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--8bcf14e9-2ba2-44ef-9e32-fbbc9d2608b2", 9 | "instance_object_refs": ["0"] 10 | } 11 | ], 12 | "observable_objects": { 13 | "0": { 14 | "type": "file", 15 | "name": "a92e5b2bae.exe", 16 | "parent_directory_ref": "1", 17 | "size": 77312, 18 | "hashes": { 19 | "MD5": "a92e5b2bae0b4b3a3d81c85610b95cd4", 20 | "SHA-1": "5374e08903744ceeaedd8f5e1bfc06b2c4688e76" 21 | }, 22 | "extensions": { 23 | "x-maec-avclass": [ 24 | { 25 | "scan_date": "2010-05-15T03:38:44", 26 | "is_detected": "False", 27 | "av_name": "Security Essentials", 28 | "av_vendor": "Microsoft", 29 | "av_engine_version": "4.2.3", 30 | "av_definition_version": "032415-0011" 31 | }, 32 | { 33 | "scan_date": "2012-02-11T08:36:14", 34 | "is_detected": "True", 35 | "av_name": "Security Essentials", 36 | "av_vendor": "Microsoft", 37 | "av_engine_version": "5.1.0", 38 | "av_definition_version": "053514-0062", 39 | "av_classification_name": "Zeus.D.C." 40 | } 41 | ] 42 | } 43 | }, 44 | "1": { 45 | "type": "directory", 46 | "path": "C:\\" 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /examples/dynamic_triage_tool_output.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--d717c418-d8cd-4019-8505-71faef1f1309", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--0beb15e6-9994-46fd-8cc8-318d2ac8885f", 9 | "instance_object_refs": ["0"] 10 | }, 11 | { 12 | "type": "malware-action", 13 | "id": "malware-action--fe99bcab-50d7-4010-9a2b-70083f7cad56", 14 | "name": "create-file", 15 | "output_obj_refs": ["1"] 16 | }, 17 | { 18 | "type": "malware-action", 19 | "id": "malware-action--37c2f512-06af-4e8f-b81d-01a699663492", 20 | "name": "create-registry-key", 21 | "output_obj_refs": ["2"] 22 | }, 23 | { 24 | "type": "malware-action", 25 | "id": "malware-action--8d3929fb-484c-4426-857b-289e42d4f53c", 26 | "name": "create-mutex", 27 | "output_object_refs": ["3"] 28 | }, 29 | { 30 | "type": "malware-action", 31 | "id": "malware-action--56974c6e-c0f1-44ab-a2e4-2899adbfd72a", 32 | "name": "allocate-process-virtual-memory", 33 | "input_obj_refs": ["4"] 34 | }, 35 | { 36 | "type": "malware-action", 37 | "id": "malware-action--f45c69ea-3c48-4493-9d2b-feeda12643a6", 38 | "name": "allocate-process-virtual-memory", 39 | "input_obj_refs": ["5"] 40 | }, 41 | { 42 | "type": "malware-action", 43 | "id": "malware-action--0f0ef516-ca2d-448a-9a7a-db4b215e7098", 44 | "name": "allocate-process-virtual-memory", 45 | "input_obj_refs": ["6"] 46 | } 47 | ], 48 | "observable_objects": { 49 | "0": { 50 | "type": "file", 51 | "size": "332288", 52 | "hashes": { 53 | "MD5": "6519ED23FB22D0228E61A68D40F75C49", 54 | "SHA-1": "7F42DF6B1318A5CC4633E33076629F95F59F1445" 55 | } 56 | }, 57 | "1": { 58 | "type": "file", 59 | "name": "Zcxaaz.exe", 60 | "parent_directory_ref": "7", 61 | "size": 332288 62 | 63 | }, 64 | "2": { 65 | "type": "windows-registry-key", 66 | "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", 67 | "values": [ 68 | { 69 | "name": "Zcxaxz", 70 | "data": "%AppData%\\Zcxaxz.exe" 71 | } 72 | ] 73 | }, 74 | "3": { 75 | "type": "mutex", 76 | "name": "redem-mutex" 77 | }, 78 | "4": { 79 | "type": "process", 80 | "name": "services.exe", 81 | "cwd": "%System%\\" 82 | }, 83 | "5": { 84 | "type": "process", 85 | "name": "svchost.exe", 86 | "cwd": "%System%\\" 87 | }, 88 | "6": { 89 | "type": "process", 90 | "name": "alg.exe", 91 | "cwd": "%System%\\" 92 | }, 93 | "7": { 94 | "type": "directory", 95 | "path": "%AppData%/" 96 | } 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /examples/in_depth_analysis.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--f63bb5f0-4173-4e72-8ceb-a316fbd3206b", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--b965814d-0c2e-4e01-b8a5-d8c32bb038e6", 9 | "instance_object_refs": ["0"], 10 | "analysis_metadata": [ 11 | { 12 | "is_automated": false, 13 | "analysis_type": "static", 14 | "description": "in-depth static analysis" 15 | } 16 | ], 17 | "dynamic_features": { 18 | "behavior_refs": ["behavior--7946eb08-1a49-45ec-bd45-6b467e14bf31"], 19 | "action_refs": ["malware-action--2d42dac8-c416-42c6-bc5c-7b6dcf576fc5"] 20 | }, 21 | "capabilities": [ 22 | { 23 | "name": "spying", 24 | "behavior_refs": ["behavior--7946eb08-1a49-45ec-bd45-6b467e14bf31"] 25 | } 26 | ] 27 | }, 28 | { 29 | "type": "behavior", 30 | "id": "behavior--7946eb08-1a49-45ec-bd45-6b467e14bf31", 31 | "name": "capture-keyboard-input", 32 | "action_refs": ["malware-action--2d42dac8-c416-42c6-bc5c-7b6dcf576fc5"] 33 | }, 34 | { 35 | "type": "malware-action", 36 | "id": "malware-action--2d42dac8-c416-42c6-bc5c-7b6dcf576fc5", 37 | "name":"add-windows-hook", 38 | "output_object_refs": ["1"] 39 | } 40 | ], 41 | "observable_objects": { 42 | "0": { 43 | "type": "file", 44 | "hashes": { 45 | "MD5": "B6C39FF68346DCC8B67AA060DEFE40C2" 46 | } 47 | }, 48 | "1": { 49 | "type": "x-windows-hook", 50 | "win-hook-type": "WH_KEYBOARD_LL" 51 | } 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /examples/maec_related_malware.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--e05d8112-4210-4367-b9ed-8370acdee129", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1311093b", 9 | "instance_object_refs": ["0"] 10 | }, 11 | { 12 | "type": "malware-instance", 13 | "id": "malware-instance--4c46c666-8e83-4bbb-acf8-e09c1311093b", 14 | "instance_object_refs": ["1"] 15 | }, 16 | { 17 | "type": "malware-instance", 18 | "id": "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1300003b", 19 | "instance_object_refs": ["2"] 20 | }, 21 | { 22 | "type": "malware-instance", 23 | "id": "malware-instance--4c46e5760-8e83-4bbb-acf8-e09c130003b", 24 | "instance_object_refs": ["3"] 25 | }, 26 | { 27 | "type": "collection", 28 | "id": "collection--739dfdd1-93ab-49d2-73f0-f0427e1ff918", 29 | "association_type": "observed-together", 30 | "entity_refs": [ 31 | "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1311093b", 32 | "malware-instance--4c46c666-8e83-4bbb-acf8-e09c1311093b", 33 | "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1300003b", 34 | "malware-instance--4c46e5760-8e83-4bbb-acf8-e09c130003b" 35 | ] 36 | } 37 | ], 38 | "observable_objects": { 39 | "0": { 40 | "type": "file", 41 | "name": "dg003_improve_8080_V132.exe", 42 | "size": 196608, 43 | "hashes": { 44 | "MD5": "4EC0027BEF4D7E1786A04D021FA8A67F" 45 | } 46 | }, 47 | "1": { 48 | "type": "file", 49 | "name": "msvcr.dll" 50 | }, 51 | "2": { 52 | "type": "file", 53 | "name": "fvcwin32.exe" 54 | }, 55 | "3": { 56 | "type": "file", 57 | "name": "acvcwin32.exe" 58 | } 59 | }, 60 | "relationships": [ 61 | { 62 | "type": "relationship", 63 | "id": "relationship--3a43e6060-8e83-4bcb-fdf8-e18e134545b", 64 | "relationship_type": "drops", 65 | "source_ref": "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1311093b", 66 | "target_ref": "malware-instance--4c46c666-8e83-4bbb-acf8-e09c1311093b" 67 | }, 68 | { 69 | "type": "relationship", 70 | "id": "relationship--d587e2e0-a995-40d2-805a-3394a64d5885", 71 | "relationship_type": "downloads", 72 | "source_ref": "malware-instance--4c46c666-8e83-4bbb-acf8-e09c1311093b", 73 | "target_ref": "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1300003b" 74 | }, 75 | { 76 | "type": "relationship", 77 | "id": "relationship--3b13e9053-8e83-4bcb-adf8-e18e133533f", 78 | "relationship_type": "downloads", 79 | "source_ref": "malware-instance--4c46c666-8e83-4bbb-acf8-e09c1311093b", 80 | "target_ref": "malware-instance--4c46c555-8e83-4bbb-acf8-e09c1300003b" 81 | } 82 | ] 83 | } -------------------------------------------------------------------------------- /examples/malicious_webpage_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--e2215ced-19b2-4296-951e-3a3a26e1c79f", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--82008585-1939-4ca8-bd47-3173c1e91053", 9 | "instance_object_refs": ["0"], 10 | "capabilities": [ 11 | { 12 | "name": "infection/propagation", 13 | "refined_capabilities": [ 14 | { 15 | "name": "remote-machine-infection" 16 | } 17 | ] 18 | } 19 | ], 20 | "dynamic_features": { 21 | "behavior_refs": [ 22 | "behavior--738f7800-58f0-45d5-9f69-0fdb10050edc", 23 | "behavior--4efd2828-92b8-41df-862e-9d983fe0d2f3" 24 | ], 25 | "action_refs": [ 26 | "malware-action--f0e023b8-6789-4425-bfbe-2c80ae50c81d", 27 | "malware-action--26462916-6cf6-4d60-908f-18bb96232463", 28 | "malware-action--63890287-23c6-42a6-8aa2-5d27e79c86dd" 29 | ] 30 | }, 31 | "labels": ["shellcode"] 32 | }, 33 | { 34 | "type": "behavior", 35 | "id": "behavior--738f7800-58f0-45d5-9f69-0fdb10050edc", 36 | "name": "autonomous-remote-infection", 37 | "description": "A vulnerability exploit behavior initiated by some code on the web page.", 38 | "attributes": { 39 | "vulnerability-id-cve": "CVE-2010-0188" 40 | } 41 | }, 42 | { 43 | "type": "behavior", 44 | "id": "behavior--4efd2828-92b8-41df-862e-9d983fe0d2f3", 45 | "name": "autonomous-remote-infection", 46 | "description": "A vulnerability exploit behavior initiated by some code on the web page.", 47 | "attributes": { 48 | "vulnerability-id-cve": "CVE-2012-0507" 49 | } 50 | }, 51 | { 52 | "type": "malware-action", 53 | "id": "malware-action--f0e023b8-6789-4425-bfbe-2c80ae50c81d", 54 | "name": "download-file", 55 | "input_object_refs": ["2"], 56 | "output_object_refs": ["0"] 57 | }, 58 | { 59 | "type": "malware-action", 60 | "id": "malware-action--26462916-6cf6-4d60-908f-18bb9623246", 61 | "name": "download-file", 62 | "input_object_refs": ["4"], 63 | "output_object_refs": ["3"] 64 | }, 65 | { 66 | "type": "malware-action", 67 | "id": "action--63890287-23c6-42a6-8aa2-5d27e79c86dd", 68 | "name": "download-file", 69 | "input_object_refs": ["5"], 70 | "output_object_refs": ["7"] 71 | } 72 | ], 73 | "observable_objects": { 74 | "0": { 75 | "type": "url", 76 | "value": "http://samsonikonyou.ru:8080/navigator/jueoaritjuir.php" 77 | }, 78 | "1": { 79 | "type": "file", 80 | "name": "xodmeqglxldnx.jar" 81 | }, 82 | "2": { 83 | "type": "url", 84 | "value": "http://samsonikonyou.ru:8080/navigator/xodmeqglxldnx.jar" 85 | }, 86 | "3": { 87 | "type": "file", 88 | "name": "krgobpevcpync.jar" 89 | }, 90 | "4":{ 91 | "type": "url", 92 | "value": "http://samsonikonyou.ru:8080/navigator/krgobpevcpync.jar" 93 | }, 94 | "5": { 95 | "type": "file", 96 | "name": "aqcphscwgqhvkzy5.pdf", 97 | "contains_refs": ["maec-example-obj-7"] 98 | }, 99 | "6": { 100 | "type": "url", 101 | "value": "http://samsonikonyou.ru:8080/navigator/aqcphscwgqhvkzy5.pdf" 102 | } 103 | } 104 | } -------------------------------------------------------------------------------- /examples/network_behavior_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--7af42bc3-8aef-42dc-95e4-d89f16eaa142", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--6c2d11a7-fba4-4375-8cb2-89f2bfcf6940", 9 | "name": { 10 | "value": "Red October Downloader" 11 | }, 12 | "labels": ["downloader"], 13 | "instance_object_refs": ["0"], 14 | "capabilities": [ 15 | { 16 | "name": "command-and-control", 17 | "refined_capabilities": [ 18 | { 19 | "name": "send-data-to-c2-server" 20 | } 21 | ] 22 | } 23 | ], 24 | "dynamic_features": { 25 | "behavior_refs": ["behavior--10b06b25-9fbe-4593-9609-5cba8e877f75"], 26 | "action_refs": ["malware-action--5809df22-e9e2-4d78-beb6-1c412cdb4b18"] 27 | } 28 | }, 29 | { 30 | "type": "malware-action", 31 | "id": "malware-action--5809df22-e9e2-4d78-beb6-1c412cdb4b18", 32 | "name": "send-http-post-request", 33 | "description": "http post request which occurs every 180 seconds", 34 | "output_object_refs": ["1"] 35 | }, 36 | { 37 | "type": "behavior", 38 | "id": "behavior--10b06b25-9fbe-4593-9609-5cba8e877f75", 39 | "name": "send-data-to-C2-server", 40 | "description": "A Command and Control Server Connection Loop. Every 180 seconds the malware subject sends an HTTP Post request to its C2 server with some data uniquely identifying the victim machine and reporting on the status of the execution of the malware.", 41 | "action_refs": ["action--5809df22-e9e2-4d78-beb6-1c412cdb4b18"] 42 | } 43 | ], 44 | "observable_objects":{ 45 | "0":{ 46 | "type": "file", 47 | "hashes": { 48 | "MD5": "c3b0d1403ba35c3aba8f4529f43fb300" 49 | } 50 | }, 51 | "1": { 52 | "type": "network-traffic", 53 | "protocols": ["http"], 54 | "dst_ref": "2", 55 | "extensions": { 56 | "http-request-ext": { 57 | "request_method": "post", 58 | "request_value": "/reportdatas.php", 59 | "request_version": "http/1.0" 60 | } 61 | } 62 | }, 63 | "2": { 64 | "type": "domain-name", 65 | "value": "www.dailyinfonews.net" 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /examples/object_reuse_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "package--3a7b331e-906f-42c0-bfd5-c2cd04076834", 3 | "type": "package", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--1d43c77c-21a0-4a10-9a9a-8c0fdfd280b8", 9 | "instance_object_refs": ["0"], 10 | "dynamic_features": { 11 | "action_refs": [ 12 | "malware-action--935a718f-863e-49fb-89b8-d65dc0e70e53", 13 | "malware-action--75514819-ea94-4684-8107-68ee63315fc4" 14 | ] 15 | } 16 | }, 17 | { 18 | "type": "malware-action", 19 | "id": "malware-action--935a718f-863e-49fb-89b8-d65dc0e70e53", 20 | "name": "create-file", 21 | "is_successful": true, 22 | "output_object_refs": ["1"] 23 | }, 24 | { 25 | "type": "malware-action", 26 | "id": "malware-action--75514819-ea94-4684-8107-68ee63315fc4", 27 | "name": "write-to-process-memory", 28 | "is_successful": true, 29 | "input_object_refs": ["3"] 30 | } 31 | ], 32 | "observable_objects": { 33 | "0": { 34 | "type": "file", 35 | "size": 196608, 36 | "hashes": { 37 | "MD5": "4EC0027BEF4D7E1786A04D021FA8A67F" 38 | } 39 | }, 40 | "1": { 41 | "type": "file", 42 | "name": "msvcr.dll", 43 | "parent_directory_ref": "2" 44 | }, 45 | "2": { 46 | "type": "directory", 47 | "path": "C:\\Documents and Settings\\user\\Local Settings\\Application\\Data" 48 | }, 49 | "3": { 50 | "type": "process", 51 | "name": "explorer.exe", 52 | "cwd": "C:\\Windows\\" 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /examples/package_action_equivalency_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--f9f00b01-ce0a-4193-8005-ae8aab645b53", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--b72eed82-4333-4f41-830e-0e806b53dc4e", 9 | "instance_object_refs": ["0"], 10 | "labels": ["dropper"], 11 | "dynamic_features": { 12 | "behavior_refs": ["behavior--f53c0819-b2a3-4e71-ac9e-8cda83afde67"], 13 | "action_refs": [ 14 | "malware-action--33e9271d-30b5-4db1-9fca-892ffae1f087", 15 | "malware-action--3b127f1c-59cf-460d-8eab-afd1ee705d16" 16 | ] 17 | }, 18 | "capabilities": [ 19 | { 20 | "name": "persistence", 21 | "refined_capabilities": [ 22 | { 23 | "name": "continuous-execution" 24 | } 25 | ], 26 | "attributes": { 27 | "persistence-scope": "self" 28 | }, 29 | "behavior_refs": ["behavior--f53c0819-b2a3-4e71-ac9e-8cda83afde67"] 30 | } 31 | ], 32 | "analysis_metadata": [ 33 | { 34 | "is_automated": true, 35 | "analysis_type": "dynamic", 36 | "description": "Dynamic (behavorial) triage of the subject binary", 37 | "tool_refs": ["6"] 38 | }, 39 | { 40 | "is_automated": true, 41 | "analysis_type": "dynamic", 42 | "description": "Dynamic (behavorial) and tool-based triage of the subject binary", 43 | "tool_refs": ["7"] 44 | }, 45 | { 46 | "is_automated": false, 47 | "analysis_type": "static", 48 | "description": "Manual analysis of the subject binary" 49 | } 50 | ] 51 | }, 52 | { 53 | "type": "behavior", 54 | "id": "behavior--f53c0819-b2a3-4e71-ac9e-8cda83afde67", 55 | "name": "persist-after-system-reboot", 56 | "description": "A persistence after reboot behavior using the Windows startup folder", 57 | "action_refs": [ 58 | "malware-action--3b127f1c-59cf-460d-8eab-afd1ee705d16", 59 | "malware-action--33e9271d-30b5-4db1-9fca-892ffae1f087" 60 | ] 61 | }, 62 | { 63 | "type": "malware-action", 64 | "id": "malware-action--3b127f1c-59cf-460d-8eab-afd1ee705d16", 65 | "name": "create-file", 66 | "is_successful": true, 67 | "output_object_refs": ["1"] 68 | }, 69 | { 70 | "type": "malware-action", 71 | "id": "malware-action--33e9271d-30b5-4db1-9fca-892ffae1f087", 72 | "name": "create-file", 73 | "is_successful": true, 74 | "output_object_refs": ["2"] 75 | } 76 | ], 77 | "observable_objects": { 78 | "0": { 79 | "type": "file", 80 | "name": "2ed2386bfb.exe", 81 | "parent_directory_ref": "3", 82 | "size": 379077, 83 | "hashes": { 84 | "MD5": "2ed2386fbd31a1104e402a0c97c1aa60", 85 | "SHA-1": "611a0dae515ea4606c1e3b76814af902ed5f3490" 86 | } 87 | }, 88 | "1": { 89 | "type": "file", 90 | "name": "taskmgrsx.exe", 91 | "parent_directory_ref": "4" 92 | }, 93 | "2": { 94 | "type": "file", 95 | "name": "taskmgrsx.exe", 96 | "parent_directory_ref": "5" 97 | }, 98 | "3": { 99 | "type": "directory", 100 | "path": "C:\\" 101 | }, 102 | "4":{ 103 | "type": "directory", 104 | "path":"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup" 105 | }, 106 | "5":{ 107 | "type": "directory", 108 | "path":"%Programs%\\Startup\\" 109 | }, 110 | "6": { 111 | "type": "software", 112 | "name": "Anubis", 113 | "vendor": "IsecLab" 114 | }, 115 | "7": { 116 | "type": "software", 117 | "name": "ThreatExpert", 118 | "vendor": "Symantec" 119 | } 120 | }, 121 | "relationships":[ 122 | { 123 | "type": "relationship", 124 | "id": "relationnship--89c7873f-30b5-4db1-9fca-892ffae1f087", 125 | "source_ref": "malware-action--3b127f1c-59cf-460d-8eab-afd1ee705d16", 126 | "target_ref": "malware-action--33e9271d-30b5-4db1-9fca-892ffae1f087", 127 | "relationship_type": "equivalent" 128 | } 129 | ] 130 | } 131 | -------------------------------------------------------------------------------- /examples/package_capability.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--2d42dac8-c416-42c6-bc5c-7b6dcf576fc5", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--19863c16-503e-493f-8841-16c68e39c26e", 9 | "instance_object_refs": ["0"], 10 | "labels": [ 11 | "mass-mailer", 12 | "worm" 13 | ], 14 | "capabilities": [ 15 | { 16 | "name": "persistence", 17 | "refined_capabilities": [ 18 | { 19 | "name": "continuous-execution", 20 | "behavior_refs": ["behavior--2099d4c1-0e8a-49d2-8d32-f0427e1ff817"] 21 | } 22 | ] 23 | } 24 | ], 25 | "dynamic_features": { 26 | "behavior_refs": ["behavior--2099d4c1-0e8a-49d2-8d32-f0427e1ff817"], 27 | "action_refs": ["malware-action--2aa73fd6-f440-4219-8d32-6929c47f0745"] 28 | } 29 | }, 30 | { 31 | "type": "behavior", 32 | "id": "behavior--2099d4c1-0e8a-49d2-8d32-f0427e1ff817", 33 | "name": "persist-after-system-reboot", 34 | "description": "System reboot persistence via registry startup", 35 | "action_refs": ["malware-action--2aa73fd6-f440-4219-8d32-6929c47f0745"] 36 | }, 37 | { 38 | "type": "malware-action", 39 | "id": "malware-action--2aa73fd6-f440-4219-8d32-6929c47f0745", 40 | "name": "create-registry-key-value", 41 | "output_object_refs": ["1"] 42 | } 43 | ], 44 | "observable_objects": { 45 | "0": { 46 | "type": "file", 47 | "hashes": { 48 | "MD5":"9d7006e30fdf15e9c8e03e62534b3a3e" 49 | } 50 | }, 51 | "1": { 52 | "type": "windows-registry-key", 53 | "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 54 | "values": [ 55 | { 56 | "name": "MSInfo", 57 | "data": "%Windir%\\AVBgle.exe" 58 | } 59 | ] 60 | } 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /examples/package_capability_example_snifula.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--f251930e-2112-4922-9a63-0fbfaa59a5e0", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--1c56c435-8e83-4bab-adf8-e09c1515094b", 9 | "instance_object_refs": ["0"], 10 | "labels": ["dropper"] 11 | }, 12 | { 13 | "type": "malware-instance", 14 | "id": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 15 | "instance_object_refs": ["1"], 16 | "labels": ["dropper"], 17 | "dynamic_features": { 18 | "behavior_refs": [ 19 | "behavior--85b4e674-ddc0-4fb9-9c8c-24a8c6255ca1", 20 | "behavior--608e6794-70e8-4c46-a237-5f75fb9c2e77", 21 | "behavior--8ff98c8b-649b-4daf-b3b5-bd11814421f6", 22 | "behavior--84ff960f-69ff-4fd5-9ffa-539489ef8b20" 23 | ] 24 | }, 25 | "capabilities": [ 26 | { 27 | "name": "probing", 28 | "refined_capabilities": [ 29 | { 30 | "name": "host-configuration-probing" 31 | } 32 | ], 33 | "behavior_refs": ["behavior--85b4e674-ddc0-4fb9-9c8c-24a8c6255ca1"] 34 | }, 35 | { 36 | "name": "anti-detection", 37 | "refined_capabilities": [ 38 | { 39 | "name": "hide-artifacts" 40 | } 41 | ], 42 | "behavior_refs": ["behavior--608e6794-70e8-4c46-a237-5f75fb9c2e77"] 43 | }, 44 | { 45 | "name": "persistence", 46 | "refined_capabilities": [ 47 | { 48 | "name":"continuous-execution" 49 | } 50 | ], 51 | "behavior_refs": ["behavior--8ff98c8b-649b-4daf-b3b5-bd11814421f6"] 52 | }, 53 | { 54 | "name": "secondary-operation", 55 | "refined_capabilities": [ 56 | { 57 | "name": "install-other-components" 58 | } 59 | ], 60 | "behavior_refs": ["behavior--84ff960f-69ff-4fd5-9ffa-539489ef8b20"] 61 | } 62 | ] 63 | }, 64 | { 65 | "type": "malware-instance", 66 | "id": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 67 | "instance_object_refs": ["2"], 68 | "labels": [ 69 | "backdoor", 70 | "password stealer", 71 | "spyware", 72 | "trojan horse" 73 | ], 74 | "name": { 75 | "value": "Backdoor.Snifula variant", 76 | "source": { 77 | "source_name": "Computer Incident Response Center Luxembourg and National CERT of Luxembourg", 78 | "url": "https://www.circl.lu/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" 79 | } 80 | }, 81 | "analysis_metadata": [ 82 | { 83 | "is_automated": false, 84 | "analysis_type": "combination", 85 | "description": "Malware analysis of a Backdoor.Snifula variant", 86 | "comments": [ 87 | "The malware binary exports 46 functions, but it seems most are used for camouflage, with only a single function actually being used." 88 | ] 89 | } 90 | ], 91 | "dynamic_features": { 92 | "behavior_refs": [ 93 | "behavior--fa979df4-9c19-4aee-95a2-fd88dd014631", 94 | "behavior--811410e5-b5d2-453f-b00b-2673e26edb1f", 95 | "behavior--1c0fa14f-a6be-4ae1-bb16-81d11cf30c35", 96 | "behavior--f61215c1-32b7-4a13-b0ac-b479976b961d", 97 | "behavior--b950479f-2960-488a-a93b-5d789482d2ca", 98 | "behavior--836cbf4e-9388-416d-8895-ce4aa4c19022", 99 | "behavior--3634ffe8-b38a-4102-b6ed-2414a25622b6", 100 | "behavior--324e5eb8-ea1a-406a-8af4-515c455ed106", 101 | "behavior--67448145-5ddb-481b-a62b-33eb82739f84", 102 | "behavior--6b30377e-002b-40d3-a802-2be2bb061deb", 103 | "behavior--defbd38d-202c-4a3c-a962-122553b19aa1", 104 | "behavior--249aa183-77bf-46ba-affa-a51fc3da7e38", 105 | "behavior--b6ea67a3-2743-40b9-b102-aa97509e1629", 106 | "behavior--b03ce4c8-c0d7-43ca-973d-f1ff53a78351", 107 | "behavior--12174544-7fae-4c4b-b7c9-725a0f94f035", 108 | "behavior--1f236047-3a70-43be-8b6b-5e13b37f368a", 109 | "behavior--8ff3feb6-3f1f-4dfb-a3da-7b1ac6a36cd6", 110 | "behavior--345f2bc3-1e95-47bb-ba34-d60f7ba9882a", 111 | "behavior--9a3a0214-94ec-470d-8f9a-92dd5493541a" 112 | ] 113 | }, 114 | "capabilities": [ 115 | { 116 | "name": "security-degradation", 117 | "refined_capabilities": [ 118 | { 119 | "name": "security-software-degredation" 120 | } 121 | ], 122 | "attributes": { 123 | "targeted program": "procmon.exe" 124 | } 125 | }, 126 | { 127 | "name": "persistence", 128 | "refined_capabilities": [ 129 | { 130 | "name": "ensure-compatibility", 131 | "behavior_refs": ["behavior--811410e5-b5d2-453f-b00b-2673e26edb1f"] 132 | }, 133 | { 134 | "name": "continuous-execution" 135 | } 136 | ] 137 | }, 138 | { 139 | "name": "command-and-control", 140 | "attributes": { 141 | "network protocol": "http" 142 | }, 143 | "refined_capabilities": [ 144 | { 145 | "name": "receive-data-from-c2-server", 146 | "behavior_refs": [ 147 | "behavior--b950479f-2960-488a-a93b-5d789482d2ca", 148 | "behavior--836cbf4e-9388-416d-8895-ce4aa4c19022" 149 | ] 150 | }, 151 | { 152 | "name": "send-data-to-c2-server", 153 | "behavior_refs": [ 154 | "behavior--1c0fa14f-a6be-4ae1-bb16-81d11cf30c35", 155 | "behavior--f61215c1-32b7-4a13-b0ac-b479976b961d" 156 | ] 157 | } 158 | ] 159 | }, 160 | { 161 | "name": "secondary-operation", 162 | "refined_capabilities": [ 163 | { 164 | "name": "install-other-components" 165 | } 166 | ], 167 | "behavior_refs": ["behavior--3634ffe8-b38a-4102-b6ed-2414a25622b6"] 168 | }, 169 | { 170 | "name": "probing", 171 | "refined_capabilities": [ 172 | { 173 | "name": "network-environment-probing" 174 | } 175 | ], 176 | "behavior_refs": ["behavior--324e5eb8-ea1a-406a-8af4-515c455ed106"] 177 | 178 | }, 179 | { 180 | "name": "data-theft", 181 | "refined_capabilities": [ 182 | { 183 | "name": "authentication-credentials-theft", 184 | "behavior_refs": [ 185 | "behavior--6b30377e-002b-40d3-a802-2be2bb061deb", 186 | "behavior--45912152-5397-4f73-b7bf-bd067ceeef41", 187 | "behavior--b6ea67a3-2743-40b9-b102-aa97509e1629" 188 | ] 189 | }, 190 | { 191 | "name": "user-data-theft", 192 | "behavior_refs": [ 193 | "behavior--67448145-5ddb-481b-a62b-33eb82739f84", 194 | "behavior--defbd38d-202c-4a3c-a962-122553b19aa1", 195 | "behavior--249aa183-77bf-46ba-affa-a51fc3da7e38" 196 | ] 197 | } 198 | ] 199 | }, 200 | { 201 | "name": "spying", 202 | "refined_capabilities": [ 203 | { 204 | "name": "output-peripheral-capture" 205 | } 206 | ], 207 | "behavior_refs": ["behavior--b03ce4c8-c0d7-43ca-973d-f1ff53a78351"] 208 | }, 209 | { 210 | "name": "data-exfiltration", 211 | "refined_capabilities": [ 212 | { 213 | "name":"data-staging" 214 | }, 215 | { 216 | "name":"data-obfuscation" 217 | } 218 | ], 219 | "behavior_refs": [ 220 | "behavior--12174544-7fae-4c4b-b7c9-725a0f94f035", 221 | "behavior--1f236047-3a70-43be-8b6b-5e13b37f368a", 222 | "behavior--8ff3feb6-3f1f-4dfb-a3da-7b1ac6a36cd6" 223 | ] 224 | }, 225 | { 226 | "name": "integrity-violation", 227 | "refined_capabilities": [ 228 | { 229 | "name":"compromise-system-availability", 230 | "behavior_refs": ["behavior--345f2bc3-1e95-47bb-ba34-d60f7ba9882a"] 231 | }, 232 | { 233 | "name": "data-integrity-violation" 234 | } 235 | ] 236 | } 237 | ] 238 | }, 239 | { 240 | "type": "malware-instance", 241 | "id": "malware-instance--511c93db-6426-41c6-a04d-50df6ac93c95", 242 | "instance_object_refs": ["3"] 243 | }, 244 | { 245 | "type": "malware-instance", 246 | "id": "malware-instance--d6850cf0-b246-4f92-a464-7e115da68717", 247 | "instance_object_refs": ["4"] 248 | }, 249 | { 250 | "type": "malware-instance", 251 | "id": "malware-instance--964a3bb8-ba1b-4115-ad8c-c8703c503934", 252 | "instance_object_refs": ["5"], 253 | "labels": ["wiper"], 254 | "capabilities": [ 255 | { 256 | "name": "secondary-operation", 257 | "refined_capabilities": [ 258 | { 259 | "name": "clean-traces-of-infection" 260 | } 261 | ], 262 | "behavior_refs": [ 263 | "behavior--fdac452f-9a94-4059-be42-e9acd3af7c4b", 264 | "behavior--34cf58f9-f573-41f6-b60b-4c163274fd19" 265 | ] 266 | } 267 | ], 268 | "dynamic_features":{ 269 | "behavior_refs": [ 270 | "behavior--fdac452f-9a94-4059-be42-e9acd3af7c4b", 271 | "behavior--34cf58f9-f573-41f6-b60b-4c163274fd19" 272 | ] 273 | } 274 | }, 275 | { 276 | "type": "behavior", 277 | "id": "behavior--fdac452f-9a94-4059-be42-e9acd3af7c4b", 278 | "name": "remove-self" 279 | }, 280 | { 281 | "type": "behavior", 282 | "id": "behavior--34cf58f9-f573-41f6-b60b-4c163274fd19", 283 | "name": "remove-system-artifacts" 284 | }, 285 | { 286 | "type": "behavior", 287 | "id": "behavior--85b4e674-ddc0-4fb9-9c8c-24a8c6255ca1", 288 | "name": "identify-OS" 289 | }, 290 | { 291 | "type": "behavior", 292 | "id": "behavior--608e6794-70e8-4c46-a237-5f75fb9c2e77", 293 | "name": "obfuscate-artifact-properties" 294 | }, 295 | { 296 | "type": "behavior", 297 | "id": "behavior--8ff98c8b-649b-4daf-b3b5-bd11814421f6", 298 | "name": "persist-after-system-reboot" 299 | }, 300 | { 301 | "type": "behavior", 302 | "id": "behavior--84ff960f-69ff-4fd5-9ffa-539489ef8b20", 303 | "name": "install-secondary-module" 304 | }, 305 | { 306 | "type": "behavior", 307 | "id": "behavior--fa979df4-9c19-4aee-95a2-fd88dd014631", 308 | "name": "prevent-security-software-from-executing" 309 | }, 310 | { 311 | "type": "behavior", 312 | "id": "behavior--811410e5-b5d2-453f-b00b-2673e26edb1f", 313 | "name": "limit-application-type/version" 314 | }, 315 | { 316 | "type": "behavior", 317 | "id": "behavior--1c0fa14f-a6be-4ae1-bb16-81d11cf30c35", 318 | "name": "check-for-payload" 319 | }, 320 | { 321 | "type": "behavior", 322 | "id": "behavior--f61215c1-32b7-4a13-b0ac-b479976b961d", 323 | "name": "fingerprint-host" 324 | }, 325 | { 326 | "type": "behavior", 327 | "id": "behavior--b950479f-2960-488a-a93b-5d789482d2ca", 328 | "name": "control-local-machine-via-remote-command" 329 | }, 330 | { 331 | "type": "behavior", 332 | "id": "behavior--836cbf4e-9388-416d-8895-ce4aa4c19022", 333 | "name": "update-configuration" 334 | }, 335 | { 336 | "type": "behavior", 337 | "id": "behavior--3634ffe8-b38a-4102-b6ed-2414a25622b6", 338 | "name": "log-activity" 339 | }, 340 | { 341 | "type": "behavior", 342 | "id": "behavior--324e5eb8-ea1a-406a-8af4-515c455ed106", 343 | "name": "test-for-internet-connectivity" 344 | }, 345 | { 346 | "type": "behavior", 347 | "id": "behavior--67448145-5ddb-481b-a62b-33eb82739f84", 348 | "name": "steal-browser-cookie" 349 | }, 350 | { 351 | "type": "behavior", 352 | "id": "behavior--6b30377e-002b-40d3-a802-2be2bb061deb", 353 | "name": "steal-digital-certificates" 354 | }, 355 | { 356 | "type": "behavior", 357 | "id": "behavior--45912152-5397-4f73-b7bf-bd067ceeef41", 358 | "name": "steal-PKI-key" 359 | }, 360 | { 361 | "type": "behavior", 362 | "id": "behavior--defbd38d-202c-4a3c-a962-122553b19aa1", 363 | "name": "steal-browser-history" 364 | }, 365 | { 366 | "type": "behavior", 367 | "id": "behavior--249aa183-77bf-46ba-affa-a51fc3da7e38", 368 | "name": "steal-browser-cache" 369 | }, 370 | { 371 | "type": "behavior", 372 | "id": "behavior--b6ea67a3-2743-40b9-b102-aa97509e1629", 373 | "name": "steal-web/network-credential" 374 | }, 375 | { 376 | "type": "behavior", 377 | "id": "behavior--b03ce4c8-c0d7-43ca-973d-f1ff53a78351", 378 | "name": "capture-system-screenshot" 379 | }, 380 | { 381 | "type": "behavior", 382 | "id": "behavior--12174544-7fae-4c4b-b7c9-725a0f94f035", 383 | "name": "package-data" 384 | }, 385 | { 386 | "type": "behavior", 387 | "id": "behavior--1f236047-3a70-43be-8b6b-5e13b37f368a", 388 | "name": "encrypt-data" 389 | }, 390 | { 391 | "type": "behavior", 392 | "id": "behavior--8ff3feb6-3f1f-4dfb-a3da-7b1ac6a36cd6", 393 | "name": "exfiltrate-data-via-network" 394 | }, 395 | { 396 | "type": "behavior", 397 | "id": "behavior--345f2bc3-1e95-47bb-ba34-d60f7ba9882a", 398 | "name": "intercept/manipulate-network-traffic" 399 | }, 400 | { 401 | "type": "behavior", 402 | "id": "behavior--9a3a0214-94ec-470d-8f9a-92dd5493541a", 403 | "name": "persist-after-system-reboot", 404 | "attributes": { 405 | "scope": "other malware/components" 406 | } 407 | } 408 | ], 409 | "observable_objects": { 410 | "0": { 411 | "type": "file", 412 | "name": "2a7.exe", 413 | "hashes": { 414 | "MD5": "eaa5e4f26028c41ba3935a4ac455892c", 415 | "SHA1": "049db2d7030bf7563974a2c25671aef046cabf99" 416 | } 417 | }, 418 | "1": { 419 | "type": "file", 420 | "name": "dump_006D0000.bin", 421 | "hashes": { 422 | "MD5": "d819facd7c980b01bf44ea7efbf6af42", 423 | "SHA1": "abfe4e74b345669a0fcd8a34bff9c9a0a7bc9c44" 424 | } 425 | }, 426 | "2": { 427 | "type": "file", 428 | "name": "ctfmreg.dll", 429 | "hashes": { 430 | "MD5": "f9005fd7eb85a81f2f9b1474bba61be0", 431 | "SHA1": "89196b0ed3189e8571924144e57aa867f72164bd" 432 | } 433 | }, 434 | "3": { 435 | "type": "file", 436 | "name": "dump_00E30000.bin", 437 | "hashes": { 438 | "MD5": "a6bf4ae086b8d28612de4bc0d7ec4abe", 439 | "SHA1": "2b6b4fbc77553425b00ee3135e2e83386ebd797f" 440 | } 441 | }, 442 | "4": { 443 | "type": "file", 444 | "name": "ctfmreg64.dll", 445 | "hashes": { 446 | "MD5": "edb1c6fa185dc818e9cf1d107974561a", 447 | "SHA1": "383b76f23ac1d469a59a85af1a8d9c1d3f932e2f" 448 | } 449 | }, 450 | "5": { 451 | "type": "file", 452 | "name": "[0-9]{8}\\.bat", 453 | "hashes": { 454 | "MD5": "d226a657b279c5fc0a892748230a56ff", 455 | "SHA1": "fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5" 456 | } 457 | } 458 | }, 459 | "relationships": [ 460 | { 461 | "type": "relationship", 462 | "id": "relationship--e76536cc-4e0c-4107-a19b-ac16c27668ea", 463 | "source_ref": "malware-instance--1c56c435-8e83-4bab-adf8-e09c1515094b", 464 | "target_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 465 | "relationship_type": "contained in memory image" 466 | }, 467 | { 468 | "type": "relationship", 469 | "id": "relationship--5472058f-d87f-4819-af27-c9a45d484f74", 470 | "source_ref": "malware-instance--1c56c435-8e83-4bab-adf8-e09c1515094b", 471 | "target_ref": "malware-instance--511c93db-6426-41c6-a04d-50df6ac93c95", 472 | "relationship_type": "contained in memory image" 473 | }, 474 | { 475 | "type": "relationship", 476 | "id":"relationship--d26f8966-6e3f-4350-864a-a5cb095eb57c", 477 | "source_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 478 | "target_ref": "malware-instance--1c56c435-8e83-4bab-adf8-e09c1515094b", 479 | "relationship_type": "memory image of" 480 | }, 481 | { 482 | "type": "relationship", 483 | "id": "relationship--c6592b27-6ec3-472d-97aa-aa5897638ff4", 484 | "source_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 485 | "target_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 486 | "relationship_type": "drops" 487 | }, 488 | { 489 | "type": "relationship", 490 | "id": "relationship--52930fcb-69ba-4432-9b28-efaaa3ec277e", 491 | "source_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 492 | "target_ref": "malware-instance--964a3bb8-ba1b-4115-ad8c-c8703c503934", 493 | "relationship_type": "drops" 494 | }, 495 | { 496 | "type":"relationship", 497 | "id": "relationship--7a5818c9-f4ba-43b0-8484-66995af04dca", 498 | "source_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 499 | "target_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 500 | "relationship_type": "installs" 501 | }, 502 | { 503 | "type": "relationship", 504 | "id":"relationship--e5d3056e-e3d5-4fd1-b0ad-69de3c230a4b", 505 | "source_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 506 | "target_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 507 | "relationship_type": "dropped by" 508 | }, 509 | { 510 | "type": "relationship", 511 | "id": "relationship--1dfd5108-ccaa-4269-9517-4e7c3347d5a2", 512 | "source_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 513 | "target_ref": "malware-instance--511c93db-6426-41c6-a04d-50df6ac93c95", 514 | "relationship_type": "encrypted version of" 515 | }, 516 | { 517 | "type": "relationship", 518 | "id": "relationship--031b24f8-db11-4b53-a6cb-684b8e496e23", 519 | "source_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 520 | "target_ref": "malware-instance--d6850cf0-b246-4f92-a464-7e115da68717", 521 | "relationship_type": "32 bit version-of" 522 | }, 523 | { 524 | "type": "relationship", 525 | "id": "relationship--3d7627d4-f0d9-4b63-90aa-f314aa9a260b", 526 | "source_ref": "malware-instance--511c93db-6426-41c6-a04d-50df6ac93c95", 527 | "target_ref": "malware-instance--1c56c435-8e83-4bab-adf8-e09c1515094b", 528 | "relationship_type": "memory image of" 529 | }, 530 | { 531 | "type": "relationship", 532 | "id": "relationship--37576cd9-f412-4236-969f-eb940c918b6c", 533 | "source_ref": "malware-instance--511c93db-6426-41c6-a04d-50df6ac93c95", 534 | "target_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 535 | "relationship_type": "decrypted version of" 536 | }, 537 | { 538 | "type": "relationship", 539 | "id": "relationship--0265ad9a-104e-448c-8e6d-4ced09d9429e", 540 | "source_ref": "malware-instance--d6850cf0-b246-4f92-a464-7e115da68717", 541 | "target_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 542 | "relationship_type": "extracted from" 543 | }, 544 | { 545 | "type": "relationship", 546 | "id": "relationship--4b021595-ab3c-49cc-aafb-04eeae2027ca", 547 | "source_ref": "malware-instance--d6850cf0-b246-4f92-a464-7e115da68717", 548 | "target_ref": "malware-instance--7c91c995-8f83-1cab-adf8-f10c1000088a", 549 | "relationship_type": "64-bit version of" 550 | }, 551 | { 552 | "type": "relationship", 553 | "id": "relationship--34adda84-4567-4815-aa6d-db5b77549d74", 554 | "source_ref": "malware-instance--964a3bb8-ba1b-4115-ad8c-c8703c503934", 555 | "target_ref": "malware-instance--2c99c995-8f93-1cab-adf8-e09c1777094b", 556 | "relationship_type": "dropped by" 557 | } 558 | ] 559 | } 560 | -------------------------------------------------------------------------------- /examples/package_clustering_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--8b6881e7-3253-494c-9750-1a30d9bfb508", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--bc387224-2120-4fb8-949e-55a2b899f184", 9 | "instance_object_refs": ["0"], 10 | "labels": [ 11 | "trojan horse", 12 | "clicker" 13 | ] 14 | }, 15 | { 16 | "type": "malware-instance", 17 | "id": "malware-instance--60721f53-952e-4110-ad02-132e4cbeffd4", 18 | "instance_object_refs": ["1"], 19 | "labels":[ 20 | "trojan horse", 21 | "clicker" 22 | ] 23 | }, 24 | { 25 | "type": "malware-instance", 26 | "id": "malware-instance--1d90ffa0-22b8-4d5e-9518-132742f41b49", 27 | "instance_object_refs": ["2"], 28 | "labels": ["trojan horse"] 29 | } 30 | ], 31 | "observable_objects": { 32 | "0": { 33 | "type": "file", 34 | "hashes": { 35 | "MD5": "89c11cc1e7bcad1fa677201b29b46f5d" 36 | }, 37 | "extensions": { 38 | "x-maec-avclass": [ 39 | { 40 | "av_name": "Microsoft Security Essentials", 41 | "av_vendor": "Microsoft", 42 | "classification_name": "TrojanClicker:Win32/Small", 43 | "scan_date": "2017-10-23T08:22:35Z", 44 | "is_detected": true 45 | } 46 | ] 47 | } 48 | }, 49 | "1": { 50 | "type": "file", 51 | "hashes": { 52 | "MD5": "c4e0a16a8833a55e5ed8971783d09181" 53 | }, 54 | "extensions":{ 55 | "x-maec-avclass": [ 56 | { 57 | "av_name": "Microsoft Security Essentials", 58 | "av_vendor": "Microsoft", 59 | "classification_name": "TrojanClicker:Win32/Small.I", 60 | "scan_date": "2017-10-23T08:28:39Z", 61 | "is_detected": true 62 | } 63 | ] 64 | } 65 | }, 66 | "2": { 67 | "type": "file", 68 | "hashes": { 69 | "MD5": "40b1b0944f76d8f54f2564f69b685010" 70 | }, 71 | "extensions": { 72 | "x-maec-avclass": [ 73 | { 74 | "av_name": "Microsoft Security Essentials", 75 | "av_vendor": "Microsoft", 76 | "classification_name": "TrojanClicker:Win32/Small", 77 | "scan_date": "2017-10-22T03:22:16Z", 78 | "is_detected": true 79 | } 80 | ] 81 | } 82 | } 83 | }, 84 | "relationships": [ 85 | { 86 | "type": "relationship", 87 | "id": "relationship--1ad934b9-b918-4229-8fbf-3eb983948f1c", 88 | "relationship_type": "similarity score", 89 | "source_ref": "malware-instance--bc387224-2120-4fb8-949e-55a2b899f184", 90 | "target_ref": "malware-instance--60721f53-952e-4110-ad02-132e4cbeffd4", 91 | "metadata": { 92 | "distance": { 93 | "distance_score": 0.66667, 94 | "algorithm_name": "Test Algorithm", 95 | "algorithm_version": "1.0" 96 | } 97 | } 98 | }, 99 | { 100 | "type": "relationship", 101 | "id": "relationship--f716a2f3-71e0-42c2-aef4-e43f5b64f69f", 102 | "relationship_type": "similarity score", 103 | "source_ref": "malware-instance--bc387224-2120-4fb8-949e-55a2b899f184", 104 | "target_ref": "malware-instance--1d90ffa0-22b8-4d5e-9518-132742f41b49", 105 | "metadata": { 106 | "distance": { 107 | "distance_score": 1.0, 108 | "algorithm_name": "Test Algorithm", 109 | "algorithm_version": "1.0" 110 | } 111 | } 112 | }, 113 | { 114 | "type": "relationship", 115 | "id": "relationship--4872c245-dcca-4ae8-98e8-a1792c873fc1", 116 | "relationship_type": "similarity score", 117 | "source_ref": "malware-instance--60721f53-952e-4110-ad02-132e4cbeffd4", 118 | "target_ref": "malware-instance--1d90ffa0-22b8-4d5e-9518-132742f41b49", 119 | "metadata": { 120 | "distance": { 121 | "distance_score": 0.66667, 122 | "algorithm_name": "Test Algorithm", 123 | "algorithm_version": "1.0" 124 | } 125 | } 126 | } 127 | ] 128 | } 129 | -------------------------------------------------------------------------------- /examples/package_configuration_parameters_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--2b74d963-b59e-42ad-b098-b714466fbf3e", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--dbcbeaf7-bba4-4332-9e5f-dfb1e3fb07fb", 9 | "instance_object_refs": ["0"], 10 | "static_features": { 11 | "configuration_parameters": [ 12 | { 13 | "filename": "wmimserver.exe", 14 | "installation path": "&System%", 15 | "id": "aubok", 16 | "mutex": "801JsYqFulHpg" 17 | } 18 | ] 19 | } 20 | } 21 | ], 22 | "observable_objects": { 23 | "0": { 24 | "type": "file", 25 | "name": "Investor Relations Contacts.doc", 26 | "hashes": { 27 | "MD5": "875767086897e90fb47a021b45e161b2" 28 | } 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /examples/package_development_environment_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--578fa231-d2b7-45ab-b372-8557763b5c53", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--4b0c579e-c63c-4b61-ac68-d9e8254e5b4b", 9 | "instance_object_refs": ["0"], 10 | "static_features": { 11 | "development_environment": { 12 | "tool_refs": ["1"] 13 | } 14 | } 15 | } 16 | ], 17 | "observable_objects": { 18 | "0": { 19 | "type": "file", 20 | "hashes": { 21 | "MD5": "4EC0027BEF4D7E1786A04D021FA8A67F" 22 | } 23 | }, 24 | "1": { 25 | "type": "software", 26 | "name": "Microsoft Visual C++ compiler", 27 | "version": "6.0" 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /examples/package_dynamic_triage_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--57d19109-93ee-4326-bf0f-29c5e1063470", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--274dbb74-3d82-4c2e-812a-bb0bb3258039", 9 | "instance_object_refs": ["0"], 10 | "labels": ["dropper"], 11 | "dynamic_features": { 12 | "action_refs": [ 13 | "malware-action--e94948a2-2eae-4f74-aab2-757ad91cf07c", 14 | "malware-action--12c701bd-f07a-4481-ae46-e4ff10707951", 15 | "malware-action--ff7b4095-93eb-4172-bb16-3825ce302b98", 16 | "malware-action--643a8371-7454-4b5b-9478-8cbdf103c158", 17 | "malware-action--8a021a6c-ecc1-4a66-a250-7557a10b6027", 18 | "malware-action--a04e4870-fd46-4559-bfc0-323d74db792c", 19 | "malware-action--93f50af2-0497-4c97-bf50-5eb4c2d93997", 20 | "malware-action--c7fe23fc-bdab-4b14-8d5d-cf8a1a8f162b", 21 | "malware-action--650096a1-4355-44da-b3cc-3bac279e90d1", 22 | "malware-action--6875036d-787b-4b78-9e95-9476889d712c", 23 | "malware-action--f78e4b46-ff6c-418b-8713-c380b7fcb4f8", 24 | "malware-action--736dd7b2-49ac-48c3-8b83-6d9a94be509d", 25 | "malware-action--07d1e675-f60d-4d08-b929-92cbc0000860", 26 | "malware-action--4e645710-b6fa-4751-b5ab-b03c520b3b2e", 27 | "malware-action--fa56fbdb-d4ed-4b56-847a-a166038df73e", 28 | "malware-action--92a20a21-f23f-4e3c-9e08-671a64652be5", 29 | "malware-action--c3c54677-ef90-4b48-809b-640bbe03f3ef", 30 | "malware-action--97f756f4-fda8-48bd-8715-7b44f2b22239", 31 | "malware-action--e3ba9fe7-d61a-4804-9167-a33fe7205c15" 32 | ], 33 | "process_tree": [ 34 | { 35 | "process_ref": "37", 36 | "ordinal_position": 0, 37 | "initiated_action_refs": [ 38 | "malware-action--e94948a2-2eae-4f74-aab2-757ad91cf07c", 39 | "malware-action--12c701bd-f07a-4481-ae46-e4ff10707951", 40 | "malware-action--ff7b4095-93eb-4172-bb16-3825ce302b98", 41 | "malware-action--643a8371-7454-4b5b-9478-8cbdf103c158", 42 | "malware-action--8a021a6c-ecc1-4a66-a250-7557a10b6027" 43 | ] 44 | }, 45 | { 46 | "process_ref": "38", 47 | "ordinal_position": 2, 48 | "parent_action_ref": "malware-action--fd1f13c6-917b-4209-a7e5-065daf6ac90a", 49 | "initiated_action_refs": [ 50 | "malware-action--a04e4870-fd46-4559-bfc0-323d74db792c", 51 | "malware-action--93f50af2-0497-4c97-bf50-5eb4c2d93997", 52 | "malware-action--c7fe23fc-bdab-4b14-8d5d-cf8a1a8f162b", 53 | "malware-action--650096a1-4355-44da-b3cc-3bac279e90d1", 54 | "malware-action--6875036d-787b-4b78-9e95-9476889d712c", 55 | "malware-action--f78e4b46-ff6c-418b-8713-c380b7fcb4f8", 56 | "malware-action--736dd7b2-49ac-48c3-8b83-6d9a94be509d", 57 | "malware-action--07d1e675-f60d-4d08-b929-92cbc0000860", 58 | "malware-action--4e645710-b6fa-4751-b5ab-b03c520b3b2e", 59 | "malware-action--fa56fbdb-d4ed-4b56-847a-a166038df73e" 60 | ] 61 | }, 62 | { 63 | "process_ref": "39", 64 | "ordinal_position": 3, 65 | "parent_action_ref": "malware-action--07d1e675-f60d-4d08-b929-92cbc0000860" 66 | }, 67 | { 68 | "process_ref": "40", 69 | "ordinal_position": 4, 70 | "parent_action_ref": "malware-action--4e645710-b6fa-4751-b5ab-b03c520b3b2e", 71 | "initiated_action_refs":[ 72 | "malware-action--92a20a21-f23f-4e3c-9e08-671a64652be5", 73 | "malware-action--c3c54677-ef90-4b48-809b-640bbe03f3ef", 74 | "malware-action--97f756f4-fda8-48bd-8715-7b44f2b22239" 75 | ] 76 | } 77 | ] 78 | }, 79 | "analysis_metadata": [ 80 | { 81 | "is_automated": false, 82 | "analysis_type": "static", 83 | "analysts": ["Franki Li"], 84 | "description": "A basic static triage of the subject binary using PEiD.", 85 | "tool_refs": ["42"] 86 | }, 87 | { 88 | "is_automated": false, 89 | "analysis_type": "dynamic", 90 | "description": "Dynamic (behavioral) and tool-based triage of the subject binary.", 91 | "analysts": ["Franki Li"], 92 | "tool_refs":[ 93 | "43", 94 | "44", 95 | "45", 96 | "46", 97 | "47", 98 | "48" 99 | ] 100 | 101 | } 102 | ] 103 | }, 104 | { 105 | "type": "malware-action", 106 | "id": "malware-action--e94948a2-2eae-4f74-aab2-757ad91cf07c", 107 | "name": "create-file", 108 | "is_successful": true, 109 | "output_object_refs": ["2"], 110 | "description": "action was discovered by analysis-tool-2" 111 | }, 112 | { 113 | "type": "malware-action", 114 | "id": "malware-action--12c701bd-f07a-4481-ae46-e4ff10707951", 115 | "name": "create-file", 116 | "is_successful": true, 117 | "output_object_refs": ["3"] 118 | }, 119 | { 120 | "type": "malware-action", 121 | "id": "malware-action--ff7b4095-93eb-4172-bb16-3825ce302b98", 122 | "name": "create-file", 123 | "is_successful": true, 124 | "output_object_refs": ["4"] 125 | }, 126 | { 127 | "type": "malware-action", 128 | "id": "malware-action--643a8371-7454-4b5b-9478-8cbdf103c158", 129 | "name": "write-to-file", 130 | "is_successful": true, 131 | "input_object_refs": ["5"] 132 | }, 133 | { 134 | "type": "malware-action", 135 | "id": "malware-action--8a021a6c-ecc1-4a66-a250-7557a10b6027", 136 | "name": "create-file", 137 | "is_successful": true, 138 | "output_object_refs": ["6"] 139 | }, 140 | { 141 | "type": "malware-action", 142 | "id": "malware-action--a04e4870-fd46-4559-bfc0-323d74db792c", 143 | "name": "create-file", 144 | "is_successful": true, 145 | "output_object_refs": ["7"] 146 | }, 147 | { 148 | "type": "malware-action", 149 | "id": "malware-action--93f50af2-0497-4c97-bf50-5eb4c2d93997", 150 | "name": "create-file", 151 | "is_successful": true, 152 | "output_object_refs": ["8"] 153 | }, 154 | { 155 | "type": "malware-action", 156 | "id": "malware-action--704f4e79-2097-40e5-ad60-0127c7adb094", 157 | "name": "create-file", 158 | "is_successful": true, 159 | "output_object_refs": ["9"] 160 | }, 161 | { 162 | "type": "malware-action", 163 | "id": "malware-action--c7fe23fc-bdab-4b14-8d5d-cf8a1a8f162b", 164 | "name": "create-mutex", 165 | "is_successful": true, 166 | "output_object_refs": ["10"] 167 | }, 168 | { 169 | "type": "malware-action", 170 | "id": "malware-action--fd1f13c6-917b-4209-a7e5-065daf6ac90a", 171 | "name": "create-remote-thread-in-process", 172 | "is_successful": true, 173 | "output_object_refs": ["11"], 174 | "input_object_refs": ["12"] 175 | }, 176 | { 177 | "type": "malware-action", 178 | "id": "malware-action--1934e26a-cae4-43f6-ae8f-a7950df755f1", 179 | "name": "send-dns-query", 180 | "is_successful": false, 181 | "input_object_refs": ["13"] 182 | }, 183 | { 184 | "type": "malware-action", 185 | "id": "malware-action--020857f7-47d1-4662-8195-09f03d40433a", 186 | "name": "send-dns-query", 187 | "is_successful": false, 188 | "input_object_refs": ["14"] 189 | }, 190 | { 191 | "type": "malware-action", 192 | "id": "malware-action--b95988df-87ee-4109-b33c-e15c0a9c8dd8", 193 | "name": "send-dns-query", 194 | "is_successful": false, 195 | "input_object_refs": ["15"] 196 | }, 197 | { 198 | "type": "malware-action", 199 | "id": "malware-action--32d85024-aab1-4c58-a49b-777241005f6b", 200 | "name": "send-dns-query", 201 | "is_successful": false, 202 | "input_object_refs": ["16"] 203 | }, 204 | { 205 | "type": "malware-action", 206 | "id": "malware-action--3eb05cf7-6cd8-46fe-a11b-2e8d4a2057b9", 207 | "name": "send-dns-query", 208 | "is_successful": false, 209 | "input_object_refs": ["17"] 210 | }, 211 | { 212 | "type": "malware-action", 213 | "id": "malware-action--da376cf4-25ca-4fe5-be6a-835d037c64d2", 214 | "name": "connect-to-ip-address", 215 | "is_successful": false, 216 | "input_object_refs": ["18"] 217 | }, 218 | { 219 | "type": "malware-action", 220 | "id": "malware-action--525bc6d9-39e2-4303-8273-5c619d6baa1c", 221 | "name": "connect-to-ip-address", 222 | "is_successful": false, 223 | "input_object_refs": ["19"] 224 | }, 225 | { 226 | "type": "malware-action", 227 | "id": "malware-action--650096a1-4355-44da-b3cc-3bac279e90d1", 228 | "name": "create-file", 229 | "is_successful": true, 230 | "output_object_refs": ["20"] 231 | }, 232 | { 233 | "type": "malware-action", 234 | "id": "malware-action--6875036d-787b-4b78-9e95-9476889d712c", 235 | "name": "create-file", 236 | "is_successful": true, 237 | "output_object_refs": ["21"] 238 | }, 239 | { 240 | "type": "malware-action", 241 | "id": "malware-action--f78e4b46-ff6c-418b-8713-c380b7fcb4f8", 242 | "name": "create-file", 243 | "is_successful": true, 244 | "output_object_refs": ["22"] 245 | }, 246 | { 247 | "type": "malware-action", 248 | "id": "malware-action--736dd7b2-49ac-48c3-8b83-6d9a94be509d", 249 | "name": "create-process", 250 | "is_successful": true, 251 | "output_object_refs": ["23"] 252 | }, 253 | { 254 | "type": "malware-action", 255 | "id": "malware-action--07d1e675-f60d-4d08-b929-92cbc0000860", 256 | "name": "create-process", 257 | "is_successful": true, 258 | "output_object_refs": ["24"] 259 | }, 260 | { 261 | "type": "malware-action", 262 | "id": "malware-action--4e645710-b6fa-4751-b5ab-b03c520b3b2e", 263 | "name": "create-process", 264 | "is_successful": true, 265 | "output_object_refs": ["25"] 266 | }, 267 | { 268 | "type": "malware-action", 269 | "id": "malware-action--fa56fbdb-d4ed-4b56-847a-a166038df73e", 270 | "name": "create-file", 271 | "is_successful": true, 272 | "output_object_refs": ["26"] 273 | }, 274 | { 275 | "type": "malware-action", 276 | "id": "malware-action--92a20a21-f23f-4e3c-9e08-671a64652be5", 277 | "name": "create-file", 278 | "is_successful": true, 279 | "output_object_refs": ["27"] 280 | }, 281 | { 282 | "type": "malware-action", 283 | "id": "malware-action--c3c54677-ef90-4b48-809b-640bbe03f3ef", 284 | "name": "create-file", 285 | "is_successful": true, 286 | "output_object_refs": ["28"] 287 | }, 288 | { 289 | "type": "malware-action", 290 | "id": "malware-action--97f756f4-fda8-48bd-8715-7b44f2b22239", 291 | "name": "create-file", 292 | "is_successful": true, 293 | "output_object_refs": ["29"] 294 | }, 295 | { 296 | "type": "malware-action", 297 | "id": "malware-action--e3ba9fe7-d61a-4804-9167-a33fe7205c15", 298 | "name": "create-file", 299 | "is_successful": true, 300 | "output_object_refs": ["30"] 301 | }, 302 | { 303 | "type": "collection", 304 | "id": "collection--d4158f0a-9858-4fbd-a6e7-7024e9cd9828", 305 | "association_type": "File Actions", 306 | "entity_refs": [ 307 | "malware-action--e94948a2-2eae-4f74-aab2-757ad91cf07c", 308 | "malware-action--12c701bd-f07a-4481-ae46-e4ff10707951", 309 | "malware-action--ff7b4095-93eb-4172-bb16-3825ce302b98", 310 | "malware-action--643a8371-7454-4b5b-9478-8cbdf103c158", 311 | "malware-action--8a021a6c-ecc1-4a66-a250-7557a10b6027", 312 | "malware-action--a04e4870-fd46-4559-bfc0-323d74db792c", 313 | "malware-action--93f50af2-0497-4c97-bf50-5eb4c2d93997", 314 | "malware-action--704f4e79-2097-40e5-ad60-0127c7adb094", 315 | "malware-action--650096a1-4355-44da-b3cc-3bac279e90d1", 316 | "malware-action--6875036d-787b-4b78-9e95-9476889d712c", 317 | "malware-action--f78e4b46-ff6c-418b-8713-c380b7fcb4f8", 318 | "malware-action--fa56fbdb-d4ed-4b56-847a-a166038df73e", 319 | "malware-action--92a20a21-f23f-4e3c-9e08-671a64652be5", 320 | "malware-action--c3c54677-ef90-4b48-809b-640bbe03f3ef", 321 | "malware-action--97f756f4-fda8-48bd-8715-7b44f2b22239", 322 | "malware-action--e3ba9fe7-d61a-4804-9167-a33fe7205c15" 323 | ] 324 | }, 325 | { 326 | "type": "collection", 327 | "id": "collection--68760b78-9c4b-4955-b460-229ffa7c40f8", 328 | "association_type": "Synchronization actions", 329 | "entity_refs": ["malware-action--c7fe23fc-bdab-4b14-8d5d-cf8a1a8f162b"] 330 | }, 331 | { 332 | "type": "collection", 333 | "id": "collection--d599ccec-6956-49f9-9b34-43eb2a208c7e", 334 | "association_type": "Thread Actions", 335 | "entity_refs": ["malware-action--fd1f13c6-917b-4209-a7e5-065daf6ac90a"] 336 | }, 337 | { 338 | "type": "collection", 339 | "id": "collection--55127fb5-1241-4a95-a1c5-45315aad12ad", 340 | "association_type": "Process Actions", 341 | "entity_refs": [ 342 | "malware-action--736dd7b2-49ac-48c3-8b83-6d9a94be509d", 343 | "malware-action--07d1e675-f60d-4d08-b929-92cbc0000860", 344 | "malware-action--4e645710-b6fa-4751-b5ab-b03c520b3b2e" 345 | ] 346 | }, 347 | { 348 | "type": "collection", 349 | "id": "collection--cd37efad-f204-4510-b94b-2f2d6328a9a0", 350 | "association_type": "Network Actions", 351 | "entity_refs": [ 352 | "malware-action--1934e26a-cae4-43f6-ae8f-a7950df755f1", 353 | "malware-action--020857f7-47d1-4662-8195-09f03d40433a", 354 | "malware-action--b95988df-87ee-4109-b33c-e15c0a9c8dd8", 355 | "malware-action--32d85024-aab1-4c58-a49b-777241005f6b", 356 | "malware-action--3eb05cf7-6cd8-46fe-a11b-2e8d4a2057b9", 357 | "malware-action--da376cf4-25ca-4fe5-be6a-835d037c64d2", 358 | "malware-action--525bc6d9-39e2-4303-8273-5c619d6baa1c" 359 | ] 360 | } 361 | ], 362 | "observable_objects": { 363 | "0": { 364 | "type": "file", 365 | "name": "dg003_improve_8080_V132.exe", 366 | "size": 196608, 367 | "hashes": { 368 | "MD5": "4EC0027BEF4D7E1786A04D021FA8A67" 369 | } 370 | }, 371 | "1": { 372 | "type": "file", 373 | "extensions":{ 374 | "windows-pebinary-ext": { 375 | "pe_type": "exe", 376 | "optional_header": { 377 | "major_linker_version": 6, 378 | "minor_linker_version": 0, 379 | "base_of_code": 36418, 380 | "subsystem_hex": "2" 381 | } 382 | } 383 | } 384 | }, 385 | "2": { 386 | "type": "file", 387 | "name": "ws2help.PNF", 388 | "parent_directory_ref": "49" 389 | }, 390 | "3": { 391 | "type": "file", 392 | "name": "msvcr.dll", 393 | "parent_directory_ref": "49" 394 | }, 395 | "4":{ 396 | "type": "file", 397 | "name": "1.txt", 398 | "parent_directory_ref": "31" 399 | }, 400 | "5": { 401 | "type": "file", 402 | "name": "netstat.exe", 403 | "parent_directory_ref": "32" 404 | }, 405 | "6":{ 406 | "type": "file", 407 | "name": "IECheck.exe", 408 | "parent_directory_ref": "49" 409 | }, 410 | "7": { 411 | "type": "file", 412 | "name": "IPsecstap.dat", 413 | "parent_directory_ref": "32" 414 | }, 415 | "8": { 416 | "type": "file", 417 | "name": "Internet Explorer Security Check.lnk", 418 | "parent_directory_ref": "33" 419 | }, 420 | "9": { 421 | "type": "file", 422 | "name": "13605", 423 | "parent_directory_ref": "32" 424 | }, 425 | "10": { 426 | "type": "mutex", 427 | "name": "VistaDLLProRUNNING" 428 | }, 429 | "11": { 430 | "type": "file", 431 | "name": "msvcr.dll", 432 | "parent_directory_ref": "49" 433 | }, 434 | "12": { 435 | "type": "process", 436 | "name": "explorer.exe", 437 | "cwd": "C:\\Windows\\" 438 | }, 439 | "13": { 440 | "type": "url", 441 | "value": "test.3322.org.cn" 442 | }, 443 | "14": { 444 | "type": "url", 445 | "value": "1.test.3322.org.cn" 446 | }, 447 | "15": { 448 | "type": "url", 449 | "value": "2.test.3322.org.cn" 450 | }, 451 | "16": { 452 | "type": "url", 453 | "value": "3.test.3322.org.cn" 454 | }, 455 | "17": { 456 | "type": "url", 457 | "value": "4.test.3322.org.cn" 458 | }, 459 | "18": { 460 | "type": "ipv4-addr", 461 | "value": "172.16.0.61" 462 | }, 463 | "19": { 464 | "type": "ipv4-addr", 465 | "value": "115.*.*.249" 466 | }, 467 | "20": { 468 | "type": "file", 469 | "name": "fvcwin32.exe", 470 | "parent_directory_ref": "34" 471 | }, 472 | "21": { 473 | "type": "file", 474 | "name": "acvcwin32.exe", 475 | "parent_directory_ref": "34" 476 | }, 477 | "22": { 478 | "type": "file", 479 | "name": "avcwin32.exe", 480 | "parent_directory_ref": "34" 481 | }, 482 | "23":{ 483 | "type":"file", 484 | "name":"fvcwin32.exe", 485 | "parent_directory_ref":"34" 486 | }, 487 | "24": { 488 | "type": "file", 489 | "name": "acvcwin32.exe", 490 | "parent_directory_ref": "34" 491 | }, 492 | "25": { 493 | "type": "file", 494 | "name": "avcwin32.exe", 495 | "parent_directory_ref": "34" 496 | }, 497 | "26": { 498 | "type": "file", 499 | "name": "AutoList.txt", 500 | "parent_directory_ref": "35" 501 | }, 502 | "27": { 503 | "type": "file", 504 | "name": "SAM.dll", 505 | "parent_directory_ref": "36" 506 | }, 507 | "28": { 508 | "type": "file", 509 | "name": "system.dll", 510 | "parent_directory_ref": "36" 511 | }, 512 | "29": { 513 | "type": "file", 514 | "name": "Iestorage.dll", 515 | "parent_directory_ref": "36" 516 | }, 517 | "30": { 518 | "type": "file", 519 | "name": "drive.cab", 520 | "parent_directory_ref": "36" 521 | }, 522 | "49": { 523 | "type": "directory", 524 | "path": "C:\\Documents and Settings\\user\\Local Settings\\Application\\Data" 525 | }, 526 | "31": { 527 | "type": "directory", 528 | "path": "C:\\Windows\\inf" 529 | }, 530 | "32": { 531 | "type": "directory", 532 | "path": "C:\\Windows\\system32" 533 | }, 534 | "33": { 535 | "type": "directory", 536 | "path": "C:\\Documents and Settings\\user+\\Start Menu\\Programs\\Startup" 537 | }, 538 | "34": { 539 | "type": "directory", 540 | "path": "C:\\WINDOWS\\Debug" 541 | }, 542 | "35": { 543 | "type": "directory", 544 | "path": "C:\\Documents and Settings\\.*\\Application Data" 545 | }, 546 | "36": { 547 | "type": "directory", 548 | "path": "C:\\WINDOWS\\Debug\\Data" 549 | }, 550 | "37": { 551 | "type": "process", 552 | "name": "dg003.exe", 553 | "cwd": "C:\\" 554 | }, 555 | "38": { 556 | "type": "process", 557 | "name": "explorer.exe", 558 | "cwd": "C:\\" 559 | }, 560 | "39": { 561 | "type": "process", 562 | "name": "fvcwin32.exe", 563 | "cwd": "C:\\" 564 | }, 565 | "40": { 566 | "type": "process", 567 | "name": "acvwin32.exe", 568 | "cwd": "C:\\" 569 | }, 570 | "41": { 571 | "type": "process", 572 | "name": "avcwin32.exe", 573 | "cwd": "C:\\" 574 | }, 575 | "42": { 576 | "type": "software", 577 | "name": "PEiD", 578 | "version": "0.94" 579 | }, 580 | "43": { 581 | "type": "software", 582 | "name": "CaptureBAT", 583 | "vendor": "Zealand Honeynet Project", 584 | "version": "2.0.0" 585 | }, 586 | "44": { 587 | "type": "software", 588 | "name": "Regshot", 589 | "version ":"1.8.2" 590 | }, 591 | "45": { 592 | "type": "software", 593 | "name": "HandleDiff", 594 | "version": "0.2" 595 | }, 596 | "46": { 597 | "type": "software", 598 | "name": "VMMap", 599 | "vendor": "Sysinternals", 600 | "version": "3.1" 601 | }, 602 | "47": { 603 | "type": "software", 604 | "name": "WireShark", 605 | "vendor" : "WireShark.org", 606 | "version": "1.2.2" 607 | }, 608 | "48": { 609 | "type": "software", 610 | "name": "Process Monitor", 611 | "vendor": "Sysinternals", 612 | "version": "15.0" 613 | } 614 | }, 615 | "relationships": [ 616 | { 617 | "type": "relationship", 618 | "id": "relationship--b80b0842-dc21-4f12-99c8-5dcb328e4377", 619 | "source_ref": "malware-action--e94948a2-2eae-4f74-aab2-757ad91cf07c", 620 | "target_ref": "43", 621 | "relationship_type": "discovered by" 622 | }, 623 | { 624 | "type": "relationship", 625 | "id": "relationship--8f1c8b92-6aca-44b2-a2bc-5fbe1f9916f6", 626 | "source_ref": "malware-action--12c701bd-f07a-4481-ae46-e4ff10707951", 627 | "target_ref": "43", 628 | "relationship_type": "discovered by" 629 | }, 630 | { 631 | "type": "relationship", 632 | "id": "relationship--7be324fe-c803-4496-b675-a2f21aab06ca", 633 | "source_ref": "malware-action--ff7b4095-93eb-4172-bb16-3825ce302b98", 634 | "target_ref": "43", 635 | "relationship_type": "discovered by" 636 | }, 637 | { 638 | "type": "relationship", 639 | "id":"relationship--889fdcda-524b-4e8b-84ad-32c70b4ccf1e", 640 | "source_ref": "malware-action--643a8371-7454-4b5b-9478-8cbdf103c158", 641 | "target_ref": "43", 642 | "relationship_type": "discovered by" 643 | }, 644 | { 645 | "type": "relationship", 646 | "id": "relationship--149a2029-56c4-4a1a-ac91-8660703d16ec", 647 | "source_ref": "malware-action--8a021a6c-ecc1-4a66-a250-7557a10b6027", 648 | "target_ref": "43", 649 | "relationship_type": "discovered by" 650 | }, 651 | { 652 | "type": "relationship", 653 | "id": "relationship--2fe80b04-dfe6-4395-9a24-266417b4cca3", 654 | "source_ref": "malware-action--a04e4870-fd46-4559-bfc0-323d74db792c", 655 | "target_ref": "43", 656 | "relationship_type": "discovered by" 657 | }, 658 | { 659 | "type": "relationship", 660 | "id": "relationship--944de6bf-fd9f-4651-bfc5-9266dfa8bd2a", 661 | "source_ref": "malware-action--93f50af2-0497-4c97-bf50-5eb4c2d93997", 662 | "target_ref": "43", 663 | "relationship_type": "discovered by" 664 | }, 665 | { 666 | "type": "relationship", 667 | "id": "relationship--64d17331-6c8f-4945-bc1e-755f6fbc1a62", 668 | "source_ref": "malware-action--704f4e79-2097-40e5-ad60-0127c7adb094", 669 | "target_ref": "44", 670 | "relationship_type": "discovered by" 671 | }, 672 | { 673 | "type": "relationship", 674 | "id": "relationship--06aebe6b-eab0-418f-a5dd-2cd64d5a3fe5", 675 | "source_ref": "malware-action--650096a1-4355-44da-b3cc-3bac279e90d1", 676 | "target_ref": "43", 677 | "relationship_type": "discovered by" 678 | }, 679 | { 680 | "type": "relationship", 681 | "id": "relationship--c3f9dddc-eefb-429b-a595-24678ad4ee55", 682 | "source_ref": "malware-action--6875036d-787b-4b78-9e95-9476889d712c", 683 | "target_ref": "43", 684 | "relationship_type": "discovered by" 685 | }, 686 | { 687 | "type": "relationship", 688 | "id": "relationship--8a1b9bd2-7793-45bf-a962-7ae650dbdd55", 689 | "source_ref": "malware-action--f78e4b46-ff6c-418b-8713-c380b7fcb4f8", 690 | "target_ref": "43", 691 | "relationship_type": "discovered by" 692 | }, 693 | { 694 | "type": "relationship", 695 | "id": "relationship--99d19171-a48f-4d32-8333-eeef485df82b", 696 | "source_ref": "malware-action--fa56fbdb-d4ed-4b56-847a-a166038df73e", 697 | "target_ref": "43", 698 | "relationship_type": "discovered by" 699 | }, 700 | { 701 | "type": "relationship", 702 | "id": "relationship--112a04c6-181e-4bd0-a384-292500b3b44d", 703 | "source_ref": "malware-action--92a20a21-f23f-4e3c-9e08-671a64652be5", 704 | "target_ref": "43", 705 | "relationship_type": "discovered by" 706 | }, 707 | { 708 | "type": "relationship", 709 | "id": "relationship--37a8afdf-b283-487e-bc7b-90a37fe48348", 710 | "source_ref": "malware-action--c3c54677-ef90-4b48-809b-640bbe03f3ef", 711 | "target_ref": "43", 712 | "relationship_type": "discovered by" 713 | }, 714 | { 715 | "type": "relationship", 716 | "id": "relationship--870acb68-c0fe-4950-b516-ef29b7fc0d6a", 717 | "source_ref": "malware-action--97f756f4-fda8-48bd-8715-7b44f2b22239", 718 | "target_ref": "43", 719 | "relationship_type": "discovered by" 720 | }, 721 | { 722 | "type": "relationship", 723 | "id": "relationship--ecceb0fd-30dc-4c4c-90c4-145889e09896", 724 | "source_ref": "malware-action--e3ba9fe7-d61a-4804-9167-a33fe7205c15", 725 | "target_ref": "43", 726 | "relationship_type": "discovered by" 727 | }, 728 | { 729 | "type": "relationship", 730 | "id": "relationship--460d4dba-55d1-41c2-b2eb-cc5a5b5f3b90", 731 | "source_ref": "malware-action--c7fe23fc-bdab-4b14-8d5d-cf8a1a8f162b", 732 | "target_ref": "45", 733 | "relationship_type": "discovered by" 734 | }, 735 | { 736 | "type": "relationship", 737 | "id": "relationship--159de90a-32fd-4561-bf32-7ef7be172b86", 738 | "source_ref": "malware-action--fd1f13c6-917b-4209-a7e5-065daf6ac90a", 739 | "target_ref": "46", 740 | "relationship_type": "discovered by" 741 | }, 742 | { 743 | "type": "relationship", 744 | "id": "relationship--df9ba3e9-cc03-459f-9078-1ad89fefb392", 745 | "source_ref": "malware-action--fd1f13c6-917b-4209-a7e5-065daf6ac90a", 746 | "target_ref": "malware-action--12c701bd-f07a-4481-ae46-e4ff10707951", 747 | "relationship_type": "preceded by" 748 | }, 749 | { 750 | "type": "relationship", 751 | "id": "relationship--6ca655fb-e699-4d9e-a6bd-aa99539a5f88", 752 | "source_ref": "malware-action--736dd7b2-49ac-48c3-8b83-6d9a94be509d", 753 | "target_ref": "48", 754 | "relationship_type": "discovered by" 755 | }, 756 | { 757 | "type": "relationship", 758 | "id": "relationship--02210fa5-d4e4-404e-9d2a-4e38b695c2dc", 759 | "source_ref": "malware-action--07d1e675-f60d-4d08-b929-92cbc0000860", 760 | "target_ref": "48", 761 | "relationship_type": "discovered by" 762 | }, 763 | { 764 | "type": "relationship", 765 | "id": "relationship--45a8c815-1ac6-4431-a939-6dafe9df7a8e", 766 | "source_ref": "malware-action--4e645710-b6fa-4751-b5ab-b03c520b3b2e", 767 | "target_ref": "48", 768 | "relationship_type": "discovered by" 769 | }, 770 | { 771 | "type": "relationship", 772 | "id": "relationship--8273489e-1d07-425d-a499-dcae80356f19", 773 | "source_ref": "malware-action--1934e26a-cae4-43f6-ae8f-a7950df755f1", 774 | "target_ref": "47", 775 | "relationship_type": "discovered by" 776 | }, 777 | { 778 | "type": "relationship", 779 | "id": "relationship--a34c9f7f-4f34-4425-83dc-ac45149d0fdd", 780 | "source_ref": "malware-action--020857f7-47d1-4662-8195-09f03d40433a", 781 | "target_ref": "47", 782 | "relationship_type": "discovered by" 783 | }, 784 | { 785 | "type": "relationship", 786 | "id": "relationship--6b028505-4e41-48e0-b82c-05bc573f2ad7", 787 | "source_ref": "malware-action--b95988df-87ee-4109-b33c-e15c0a9c8dd8", 788 | "target_ref": "47", 789 | "relationship_type": "discovered by" 790 | }, 791 | { 792 | "type": "relationship", 793 | "id": "relationship--c62aede6-9c17-4ebd-bdef-0b9baeb17201", 794 | "source_ref": "malware-action--32d85024-aab1-4c58-a49b-777241005f6b", 795 | "target_ref": "47", 796 | "relationship_type": "discovered by" 797 | }, 798 | { 799 | "type": "relationship", 800 | "id": "relationship--ab1dea7a-1708-4772-ad24-0e5438b84746", 801 | "source_ref": "malware-action--3eb05cf7-6cd8-46fe-a11b-2e8d4a2057b9", 802 | "target_ref": "47", 803 | "relationship_type": "discovered by" 804 | }, 805 | { 806 | "type":"relationship", 807 | "id": "relationship--d2d4e322-432b-454c-a54f-01ab453ff1a8", 808 | "source_ref": "malware-action--da376cf4-25ca-4fe5-be6a-835d037c64d2", 809 | "target_ref": "47", 810 | "relationship_type": "discovered by" 811 | }, 812 | { 813 | "type": "relationship", 814 | "id": "relationship--dd4122c5-8298-4f48-8502-5b9493846f97", 815 | "source_ref": "malware-action--525bc6d9-39e2-4303-8273-5c619d6baa1c", 816 | "target_ref": "47", 817 | "relationship_type": "discovered by" 818 | } 819 | ] 820 | } -------------------------------------------------------------------------------- /examples/package_multi_partite_malware_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--7db5434d-4c66-4583-842a-124f3d63150d", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--b175e285-6bc9-494d-9a0a-ebe5adea68f2", 9 | "instance_object_refs": ["0"], 10 | "labels": ["dropper"] 11 | }, 12 | { 13 | "type": "malware-instance", 14 | "id": "malware-instance--2e1cc846-39a3-4012-9070-c4cf3411cfdb", 15 | "instance_object_refs": ["1"], 16 | "labels": ["downloader"] 17 | }, 18 | { 19 | "type": "malware-instance", 20 | "id": "malware-instance--b0e89a34-f870-4c46-beff-63a10c945b9d", 21 | "instance_object_refs": ["2"] 22 | }, 23 | { 24 | "type": "malware-instance", 25 | "id": "malware-instance--0a1bbb40-6c99-4207-8ada-41b8fe2433ee", 26 | "instance_object_refs": ["3"] 27 | }, 28 | { 29 | "type": "malware-instance", 30 | "id": "malware-instance--1300ef61-3042-4008-81d5-fa1724b4e3dd", 31 | "instance_object_refs": ["4"] 32 | }, 33 | { 34 | "type": "collection", 35 | "id": "collection--1d8cab0d-f1de-45d0-b1f6-1833a7a2a7ec", 36 | "association_type": "observed together", 37 | "entity_refs": [ 38 | "malware-instance--b175e285-6bc9-494d-9a0a-ebe5adea68f2", 39 | "malware-instance--2e1cc846-39a3-4012-9070-c4cf3411cfdb", 40 | "malware-instance--b0e89a34-f870-4c46-beff-63a10c945b9d", 41 | "malware-instance--0a1bbb40-6c99-4207-8ada-41b8fe2433ee", 42 | "malware-instance--1300ef61-3042-4008-81d5-fa1724b4e3dd" 43 | ] 44 | } 45 | ], 46 | "observable_objects": { 47 | "0": { 48 | "type": "file", 49 | "name": "dg003_improve_8080_V132.exe", 50 | "size": 196608, 51 | "hashes": { 52 | "MD5":"4EC0027BEF4D7E1786A04D021FA8A67F" 53 | } 54 | }, 55 | "1": { 56 | "type": "file", 57 | "name": "mscvr.dll" 58 | }, 59 | "2": { 60 | "type": "file", 61 | "name": "fvcwin32.exe" 62 | }, 63 | "3": { 64 | "type": "file", 65 | "name": "acvwin32.exe" 66 | }, 67 | "4": { 68 | "type": "file", 69 | "name": "avcwin32.exe" 70 | } 71 | }, 72 | "relationships": [ 73 | { 74 | "type": "relationship", 75 | "id": "relationship--9b4895f9-7790-4254-a2a5-a9923fa78950", 76 | "source_ref": "malware-instance--2e1cc846-39a3-4012-9070-c4cf3411cfdb", 77 | "target_ref": "malware-instance--b175e285-6bc9-494d-9a0a-ebe5adea68f2", 78 | "relationship_type": "dropped-by" 79 | }, 80 | { 81 | "type": "relationship", 82 | "id": "relationship--eaf67250-8541-4b7d-802d-dc328aab8c8c", 83 | "source_ref": "malware-instance--b0e89a34-f870-4c46-beff-63a10c945b9d", 84 | "target_ref": "malware-instance--2e1cc846-39a3-4012-9070-c4cf3411cfdb", 85 | "relationship_type": "downloaded-by" 86 | }, 87 | { 88 | "type": "relationship", 89 | "id": "relationship--92157c5f-1bd6-4224-a8fa-75b5b8d3fcb7", 90 | "source_ref": "malware-instance--0a1bbb40-6c99-4207-8ada-41b8fe2433ee", 91 | "target_ref": "malware-instance--2e1cc846-39a3-4012-9070-c4cf3411cfdb", 92 | "relationship_type": "downloaded-by" 93 | }, 94 | { 95 | "type": "relationship", 96 | "id": "relationship--787af6c0-50e8-43e4-bbaf-7f396882a7d5", 97 | "source_ref": "malware-instance--1300ef61-3042-4008-81d5-fa1724b4e3dd", 98 | "target_ref": "malware-instance--2e1cc846-39a3-4012-9070-c4cf3411cfdb", 99 | "relationship_type": "downloaded-by" 100 | } 101 | ] 102 | } 103 | 104 | -------------------------------------------------------------------------------- /examples/package_multiple_analysis_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--d7af55a5-f0e1-43b0-bcd2-ba1174c579bf", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--5746070b-7e0b-45c7-8980-84427ef773b3", 9 | "instance_object_refs": ["0"], 10 | "labels": [ 11 | "trojan horse", 12 | "bot", 13 | "keylogger", 14 | "password stealer" 15 | ], 16 | "analysis_metadata": [ 17 | { 18 | "is_automated": true, 19 | "analysis_type": "dynamic", 20 | "description": "Dynamic (behavioral) triage of the subject binary.", 21 | "tool_refs": ["2"] 22 | }, 23 | { 24 | "is_automated": true, 25 | "analysis_type": "dynamic", 26 | "description": "Dynamic (behavioral) and tool-based triage of the subject binary.", 27 | "tool_refs": ["3"] 28 | } 29 | ], 30 | "dynamic_features":{ 31 | "action_refs":[ 32 | "malware-action--9bee0108-97ea-41e9-b624-f199119e280d", 33 | "malware-action--a6ae673b-ec94-466e-acab-d68d1c9b5bd4", 34 | "malware-action--ece7bf16-b2bd-4c10-8811-57f04243b556", 35 | "malware-action--58c4ea1f-8ff4-42e8-8484-e87956139bce", 36 | "malware-action--33faf89e-395a-47a0-8b43-edfa29500327", 37 | "malware-action--a59c098a-3129-4c2d-8a71-335ae1def77e" 38 | ] 39 | } 40 | }, 41 | { 42 | "type": "malware-action", 43 | "id": "malware-action--9bee0108-97ea-41e9-b624-f199119e280d", 44 | "name": "create-file", 45 | "output_object_refs": ["4"], 46 | "is_successful": true 47 | }, 48 | { 49 | "type": "malware-action", 50 | "id": "malware-action--a6ae673b-ec94-466e-acab-d68d1c9b5bd4", 51 | "name": "create-mutex", 52 | "output_object_refs": ["6"], 53 | "is_successful": true 54 | }, 55 | { 56 | "type": "malware-action", 57 | "id": "malware-action--ece7bf16-b2bd-4c10-8811-57f04243b556", 58 | "name": "modify-registry-key-value", 59 | "input_object_refs": ["7"], 60 | "is_successful": true 61 | }, 62 | { 63 | "type": "malware-action", 64 | "id": "malware-action--58c4ea1f-8ff4-42e8-8484-e87956139bce", 65 | "name": "create-file", 66 | "output_object_refs":["8"], 67 | "is_successful": true 68 | }, 69 | { 70 | "type": "malware-action", 71 | "id": "malware-action--33faf89e-395a-47a0-8b43-edfa29500327", 72 | "name": "create-mutex", 73 | "output_object_refs": ["10"], 74 | "is_successful": true 75 | }, 76 | { 77 | "type": "malware-action", 78 | "id": "malware-action--a59c098a-3129-4c2d-8a71-335ae1def77e", 79 | "name": "create-registry-key", 80 | "output_object_refs": ["11"], 81 | "is_successful": true 82 | }, 83 | { 84 | "type": "collection", 85 | "id": "collection--bcaec31e-2a3c-48df-a270-f4802cd6b8fd", 86 | "association_type": "malware-action entities", 87 | "description": "File System Actions", 88 | "entity_refs": ["malware-action--9bee0108-97ea-41e9-b624-f199119e280d"] 89 | }, 90 | { 91 | "type": "collection", 92 | "id": "collection--ceaf683b-e850-4b99-bf4d-b821d53ab222", 93 | "association_type": "malware-action entities", 94 | "description": "Synchronization Actions", 95 | "entity_refs": [ 96 | "malware-action--a6ae673b-ec94-466e-acab-d68d1c9b5bd4", 97 | "malware-action--33faf89e-395a-47a0-8b43-edfa29500327" 98 | ] 99 | }, 100 | { 101 | "type": "collection", 102 | "id": "collection--39553fef-34e2-443e-9b77-19d79344bed6", 103 | "association_type": "malware-action entities", 104 | "description": "Registry Actions", 105 | "entity_refs": [ 106 | "malware-action--ece7bf16-b2bd-4c10-8811-57f04243b556", 107 | "malware-action--a59c098a-3129-4c2d-8a71-335ae1def77e" 108 | ] 109 | }, 110 | { 111 | "type":"collection", 112 | "id":"collection--bdbd3a1d-2b0e-4c6e-8ed2-658611af3899", 113 | "association_type": "malware-action entities", 114 | "description": "File System Actions", 115 | "entity_refs":["malware-action--58c4ea1f-8ff4-42e8-8484-e87956139bce"] 116 | } 117 | ], 118 | "observable_objects": { 119 | "0": { 120 | "type": "file", 121 | "name": "076e5b2bae.exe", 122 | "parent_directory_ref": "1", 123 | "size": 77312, 124 | "hashes": { 125 | "MD5": "076e5b2bae0b4b3a3d81c85610b95cd4", 126 | "SHA1": "4484e08903744ceeaedd8f5e1bfc06b2c4688e76" 127 | } 128 | }, 129 | "1": { 130 | "type": "directory", 131 | "path": "C:\\" 132 | }, 133 | "2": { 134 | "type": "software", 135 | "name": "Anubis", 136 | "vendor": "IsecLab" 137 | }, 138 | "3": { 139 | "type": "software", 140 | "name": "ThreatExpert", 141 | "vendor": "Symantec" 142 | }, 143 | "4": { 144 | "type": "file", 145 | "name": "oembios.exe", 146 | "parent_directory_ref": "5" 147 | }, 148 | "5": { 149 | "type": "directory", 150 | "path": "C:\\Windows\\system32\\" 151 | }, 152 | "6": { 153 | "type": "mutex", 154 | "name": "__SYSTEM__91C38905__" 155 | }, 156 | "7": { 157 | "type": "windows-registry-key", 158 | "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon", 159 | "values": [ 160 | { 161 | "name":"userinit", 162 | "data":"C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\oembios.exe," 163 | } 164 | ] 165 | }, 166 | "8": { 167 | "type": "file", 168 | "name": "sysproc32.sys", 169 | "parent_directory_ref": "9", 170 | "hashes":{ 171 | "MD5": "9855B3C1D06770B46927917F89C7FAEE", 172 | "SHA1":"1BF78B02A09E11414C2DFF3C4FF7DFA282A4125E" 173 | } 174 | }, 175 | "9": { 176 | "type": "directory", 177 | "path": "%Profiles%\\LocalService\\Application Data\\sysproc64\\" 178 | }, 179 | "10": { 180 | "type": "mutex", 181 | "name": "__SYSTEM__91C38905__" 182 | }, 183 | "11": { 184 | "type": "windows-registry-key", 185 | "key": "HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\{19127AD2-394B-70F5-C650-B97867BAA1F7}" 186 | } 187 | } 188 | } 189 | -------------------------------------------------------------------------------- /examples/package_polymorphic_family_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--bfc0f6a5-f899-46d7-8959-8e6936a57c21", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--eb54999d-4a5a-439d-aeb9-39b5f7eaf77c", 9 | "instance_object_refs": ["0"], 10 | "dynamic_features": { 11 | "action_refs": [ 12 | "malware-action--0b8623b5-5264-4ae8-a2ed-20dbf51558b4", 13 | "malware-action--f853f0bf-033b-4d2d-b927-702bb9cf6e8d" 14 | ], 15 | "behavior_refs": ["behavior--1127c9d9-2ab0-4763-a53b-46145425bdf5"] 16 | } 17 | }, 18 | { 19 | "type": "malware-instance", 20 | "id": "malware-instance--0b1b98d8-9235-427d-aeab-54bdf9f70412", 21 | "instance_object_refs": ["1"], 22 | "dynamic_features": { 23 | "action_refs": [ 24 | "malware-action--8bb139fc-1244-4b67-a652-6e01f1da8576", 25 | "malware-action--877637cf-4a80-4984-8172-3fccb777edf4" 26 | ], 27 | "behavior_refs": ["behavior--1b75ce50-d6f6-49a4-9524-9b15fa2f7d49"] 28 | } 29 | }, 30 | { 31 | "type": "malware-instance", 32 | "id": "malware-instance--9fb155a9-abc7-4d38-8dc4-df00f83732f7", 33 | "instance_object_refs": ["2"], 34 | "behavioral_features": { 35 | "action_refs": [ 36 | "malware-action--7504a917-d264-46d8-b55a-a9d4c214ce23", 37 | "malware-action--f49292ee-8ee6-4eb0-a744-295da612556c" 38 | ], 39 | "behavior_refs": ["behavior--f085f3b9-9939-4ac9-9445-bc4b61fec981"] 40 | } 41 | }, 42 | { 43 | "type": "malware-instance", 44 | "id": "malware-instance--55d83636-38b5-4b00-bca8-8323897fb482", 45 | "instance_object_refs": ["3"], 46 | "behavioral_features": { 47 | "action_refs": [ 48 | "malware-action--5f32221a-54b0-4364-9e9b-d7ecaf29a75a", 49 | "malware-action--ada5af3f-0dd5-4a7b-92d1-2c146d8fe100" 50 | ], 51 | "behavior_refs": ["behavior--0c226f00-f6ed-4246-a203-5b574cac3362"] 52 | } 53 | }, 54 | { 55 | "type": "behavior", 56 | "id": "behavior--1127c9d9-2ab0-4763-a53b-46145425bdf5", 57 | "name": "persistence", 58 | "description": "persist-after-system-reboot", 59 | "techniques": ["windows-registry-manipulation"], 60 | "action_refs": [ 61 | "malware-action--0b8623b5-5264-4ae8-a2ed-20dbf51558b4", 62 | "malware-action--f853f0bf-033b-4d2d-b927-702bb9cf6e8d" 63 | ] 64 | }, 65 | { 66 | "type": "behavior", 67 | "id": "behavior--1b75ce50-d6f6-49a4-9524-9b15fa2f7d49", 68 | "name": "persistence", 69 | "description": "persist-after-system-reboot", 70 | "techniques": ["windows-registry-manipulation"], 71 | "action_refs": [ 72 | "malware-action--8bb139fc-1244-4b67-a652-6e01f1da8576", 73 | "malware-action--877637cf-4a80-4984-8172-3fccb777edf4" 74 | ] 75 | }, 76 | { 77 | "type": "behavior", 78 | "id": "behavior--f085f3b9-9939-4ac9-9445-bc4b61fec981", 79 | "name": "persistence", 80 | "description": "persist-after-system-reboot", 81 | "techniques": ["windows-registry-manipulation"], 82 | "action_refs": [ 83 | "malware-action--f49292ee-8ee6-4eb0-a744-295da612556c", 84 | "malware-action--7504a917-d264-46d8-b55a-a9d4c214ce23" 85 | ] 86 | }, 87 | { 88 | "type": "behavior", 89 | "id": "behavior--0c226f00-f6ed-4246-a203-5b574cac3362", 90 | "name": "persistence", 91 | "description": "persist-after-system-reboot", 92 | "techniques": ["windows-registry-manipulation"], 93 | "action_refs": [ 94 | "malware-action--5f32221a-54b0-4364-9e9b-d7ecaf29a75", 95 | "malware-action--ada5af3f-0dd5-4a7b-92d1-2c146d8fe100" 96 | ] 97 | }, 98 | { 99 | "type": "malware-action", 100 | "id": "malware-action--0b8623b5-5264-4ae8-a2ed-20dbf51558b4", 101 | "name": "create-file", 102 | "output_object_refs": ["4"] 103 | }, 104 | { 105 | "type": "malware-action", 106 | "id": "malware-action--f853f0bf-033b-4d2d-b927-702bb9cf6e8d", 107 | "name": "modify-registry-key-value", 108 | "output_object_refs": ["6"] 109 | }, 110 | { 111 | "type": "malware-action", 112 | "id": "malware-action--8bb139fc-1244-4b67-a652-6e01f1da8576", 113 | "name": "create-file", 114 | "output_object_refs": ["7"] 115 | }, 116 | { 117 | "type": "malware-action", 118 | "id": "malware-action--877637cf-4a80-4984-8172-3fccb777edf4", 119 | "name": "modify-registry-key-value", 120 | "output_object_refs": ["8"] 121 | }, 122 | { 123 | "type": "malware-action", 124 | "id": "malware-action--f49292ee-8ee6-4eb0-a744-295da612556c", 125 | "name": "create-file", 126 | "output_object_refs": ["9"] 127 | }, 128 | { 129 | "type": "malware-action", 130 | "id": "malware-action--7504a917-d264-46d8-b55a-a9d4c214ce23", 131 | "name": "modify-registry-key-value", 132 | "output_object_refs": ["10"] 133 | }, 134 | { 135 | "type": "malware-action", 136 | "id": "malware-action--5f32221a-54b0-4364-9e9b-d7ecaf29a75a", 137 | "name": "create-file", 138 | "output_object_refs": ["11"] 139 | }, 140 | { 141 | "type": "malware-action", 142 | "id": "malware-action--ada5af3f-0dd5-4a7b-92d1-2c146d8fe100", 143 | "name": "modify-registry-key-value", 144 | "output_object_refs":["12"] 145 | } 146 | ], 147 | "observable_objects": { 148 | "0": { 149 | "type": "file", 150 | "hashes": { 151 | "MD5": "076e5b2bae0b4b3a3d81c85610b95cd4" 152 | } 153 | }, 154 | "1": { 155 | "type": "file", 156 | "hashes": { 157 | "MD5": "0efade6825e49cf0cf9c87695d466157" 158 | } 159 | }, 160 | "2": { 161 | "type": "file", 162 | "hashes": { 163 | "MD5": "3dec61e0480eb79d2041605444437fee" 164 | } 165 | }, 166 | "3": { 167 | "type": "file", 168 | "hashes": { 169 | "MD5": "a164a8d10dd8ed55c51b0f703cd0ec60" 170 | } 171 | }, 172 | "4": { 173 | "type": "file", 174 | "name": "oembios.exe", 175 | "parent_directory_ref": "5" 176 | }, 177 | "5": { 178 | "type": "directory", 179 | "path": "C:\\WINDOWS\\system32\\" 180 | }, 181 | "6": { 182 | "type": "windows-registry-key", 183 | "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon", 184 | "values": [ 185 | { 186 | "name": "userinit", 187 | "data" :"C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\oembios.exe," 188 | } 189 | ] 190 | }, 191 | "7": { 192 | "type": "file", 193 | "name": "ntos.exe", 194 | "parent_directory_ref": "5" 195 | }, 196 | "8": { 197 | "type": "windows-registry-key", 198 | "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon", 199 | "values": [ 200 | { 201 | "name": "userinit", 202 | "data": "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\ntos.exe," 203 | } 204 | ] 205 | }, 206 | "9": { 207 | "type": "file", 208 | "name": "twext.exe", 209 | "parent_directory_ref": "5" 210 | }, 211 | "10": { 212 | "type": "windows-registry-key", 213 | "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon", 214 | "values": [ 215 | { 216 | "name": "userinit", 217 | "data": ">C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\twext.exe" 218 | } 219 | ] 220 | }, 221 | "11": { 222 | "type": "file", 223 | "name": "sdra64.exe", 224 | "parent_directory_ref": "5" 225 | }, 226 | "12": { 227 | "type": "windows-registry-key", 228 | "key": "HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\winlogon", 229 | "values":[ 230 | { 231 | "name": "userinit", 232 | "data": "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\sdra64.exe," 233 | } 234 | ] 235 | } 236 | } 237 | } 238 | -------------------------------------------------------------------------------- /examples/static_triage_example.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--6b5e62e3-50bb-4bd1-87ee-92b4a2448971", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--57998fb0-604e-4d14-b8f1-6363dbff87cb", 9 | "instance_object_refs": ["0"], 10 | "labels": ["dropper"], 11 | "analysis_metadata": [ 12 | { 13 | "is_automated": false, 14 | "analysis_type": "static", 15 | "analysts": ["Franki Li"], 16 | "references": [ 17 | { 18 | "source_name": "SANS", 19 | "url": "http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814" 20 | } 21 | ], 22 | "description": "A basic static triage of the subject binary using PEiD.", 23 | "tool_refs": ["1"] 24 | } 25 | ], 26 | "static_features": { 27 | "file_headers": ["2"] 28 | } 29 | } 30 | ], 31 | "observable_objects": { 32 | "0": { 33 | "type": "file", 34 | "name": "dg003_improve_8080_V132.exe", 35 | "size": 196608, 36 | "hashes": { 37 | "MD5": "4EC0027BEF4D7E1786A04D021FA8A67F" 38 | }, 39 | "extensions": { 40 | "x-maec-packer-list": [ 41 | { 42 | "name": "UPX", 43 | "signature": "UPX v3.0.2" 44 | } 45 | ] 46 | } 47 | }, 48 | "2": { 49 | "type": "file", 50 | "name": "dg003_improve_8080_V132.exe", 51 | "size": 196608, 52 | "hashes": { 53 | "MD5": "4EC0027BEF4D7E1786A04D021FA8A67F" 54 | }, 55 | "extensions": { 56 | "windows-pebinary-ext": { 57 | "pe_type": "exe", 58 | "optional_header": { 59 | "major_linker_version": "06", 60 | "minor_linker_version": "00", 61 | "base_of_code": "036418", 62 | "subsystem_hex": "02" 63 | } 64 | } 65 | } 66 | }, 67 | "1": { 68 | "type": "software", 69 | "name": "PEiD", 70 | "version": "0.94" 71 | } 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /examples/vt-to-maec-output-1.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--69e037a6-6f47-484e-9479-69d8a987c07e", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--b9effde4-66c4-410a-8bef-8db74151c3b2", 9 | "instance_object_refs": ["0"], 10 | "analysis_metadata": [ 11 | { 12 | "analysis_type": "static", 13 | "is_automated": true, 14 | "description": "Created by VirusTotal to MAEC (http://github.com/MAECProject/vt-to-maec)" 15 | } 16 | ] 17 | } 18 | ], 19 | "observable_objects": { 20 | "0": { 21 | "hashes": { 22 | "SHA-256": "be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b", 23 | "SHA-1": "57f0839433234285cc9df96198a6ca58248a4707", 24 | "MD5": "e0fb946c00b140693e3cf5de258c22a1" 25 | }, 26 | "type": "file", 27 | "extensions": { 28 | "x-maec-avclass": [ 29 | { 30 | "classification_name": "W32.RzangPPP.Trojan", 31 | "av_vendor": "Bkav", 32 | "av_name": "Bkav", 33 | "av_definition_version": "20170802", 34 | "scan_date": "2017-08-03 04:26:35", 35 | "av_engine_version": "1.3.0.9282", 36 | "is_detected": true 37 | }, 38 | { 39 | "classification_name": null, 40 | "av_vendor": "MicroWorld-eScan", 41 | "av_name": "MicroWorld-eScan", 42 | "av_definition_version": "20170803", 43 | "scan_date": "2017-08-03 04:26:35", 44 | "av_engine_version": "12.0.250.0", 45 | "is_detected": false 46 | }, 47 | { 48 | "classification_name": "Backdoor/W32.Ncx.59392.AP", 49 | "av_vendor": "nProtect", 50 | "av_name": "nProtect", 51 | "av_definition_version": "20170803", 52 | "scan_date": "2017-08-03 04:26:35", 53 | "av_engine_version": "2017-08-03.01", 54 | "is_detected": true 55 | }, 56 | { 57 | "classification_name": "Generic.Win32.e0fb946c00!MD", 58 | "av_vendor": "CMC", 59 | "av_name": "CMC", 60 | "av_definition_version": "20170803", 61 | "scan_date": "2017-08-03 04:26:35", 62 | "av_engine_version": "1.1.0.977", 63 | "is_detected": true 64 | }, 65 | { 66 | "classification_name": "Trojan.IGENERIC", 67 | "av_vendor": "CAT-QuickHeal", 68 | "av_name": "CAT-QuickHeal", 69 | "av_definition_version": "20170802", 70 | "scan_date": "2017-08-03 04:26:35", 71 | "av_engine_version": "14.00", 72 | "is_detected": true 73 | }, 74 | { 75 | "classification_name": "Backdoor.ToxiBackDoor", 76 | "av_vendor": "ALYac", 77 | "av_name": "ALYac", 78 | "av_definition_version": "20170803", 79 | "scan_date": "2017-08-03 04:26:35", 80 | "av_engine_version": "1.1.1.2", 81 | "is_detected": true 82 | }, 83 | { 84 | "classification_name": "Unsafe", 85 | "av_vendor": "Cylance", 86 | "av_name": "Cylance", 87 | "av_definition_version": "20170803", 88 | "scan_date": "2017-08-03 04:26:35", 89 | "av_engine_version": "2.3.1.101", 90 | "is_detected": true 91 | }, 92 | { 93 | "classification_name": "Trojan.Win32.Generic!BT", 94 | "av_vendor": "VIPRE", 95 | "av_name": "VIPRE", 96 | "av_definition_version": "20170803", 97 | "scan_date": "2017-08-03 04:26:35", 98 | "av_engine_version": "60016", 99 | "is_detected": true 100 | }, 101 | { 102 | "classification_name": "Backdoor/Ncx.b", 103 | "av_vendor": "TheHacker", 104 | "av_name": "TheHacker", 105 | "av_definition_version": "20170801", 106 | "scan_date": "2017-08-03 04:26:35", 107 | "av_engine_version": "6.8.0.5.1794", 108 | "is_detected": true 109 | }, 110 | { 111 | "classification_name": null, 112 | "av_vendor": "K7GW", 113 | "av_name": "K7GW", 114 | "av_definition_version": "20170803", 115 | "scan_date": "2017-08-03 04:26:35", 116 | "av_engine_version": "10.20.24176", 117 | "is_detected": false 118 | }, 119 | { 120 | "classification_name": null, 121 | "av_vendor": "K7AntiVirus", 122 | "av_name": "K7AntiVirus", 123 | "av_definition_version": "20170802", 124 | "scan_date": "2017-08-03 04:26:35", 125 | "av_engine_version": "10.20.24175", 126 | "is_detected": false 127 | }, 128 | { 129 | "classification_name": null, 130 | "av_vendor": "Invincea", 131 | "av_name": "Invincea", 132 | "av_definition_version": "20170607", 133 | "scan_date": "2017-08-03 04:26:35", 134 | "av_engine_version": "6.3.0.25415", 135 | "is_detected": false 136 | }, 137 | { 138 | "classification_name": "Win32.Backdoor.NCX.b", 139 | "av_vendor": "Baidu", 140 | "av_name": "Baidu", 141 | "av_definition_version": "20170803", 142 | "scan_date": "2017-08-03 04:26:35", 143 | "av_engine_version": "1.0.0.2", 144 | "is_detected": true 145 | }, 146 | { 147 | "classification_name": null, 148 | "av_vendor": "Cyren", 149 | "av_name": "Cyren", 150 | "av_definition_version": "20170803", 151 | "scan_date": "2017-08-03 04:26:35", 152 | "av_engine_version": "5.4.30.7", 153 | "is_detected": false 154 | }, 155 | { 156 | "classification_name": "NetCat", 157 | "av_vendor": "Symantec", 158 | "av_name": "Symantec", 159 | "av_definition_version": "20170802", 160 | "scan_date": "2017-08-03 04:26:35", 161 | "av_engine_version": "1.4.1.0", 162 | "is_detected": true 163 | }, 164 | { 165 | "classification_name": null, 166 | "av_vendor": "TotalDefense", 167 | "av_name": "TotalDefense", 168 | "av_definition_version": "20170803", 169 | "scan_date": "2017-08-03 04:26:35", 170 | "av_engine_version": "37.1.62.1", 171 | "is_detected": false 172 | }, 173 | { 174 | "classification_name": "HKTL_NETCAT", 175 | "av_vendor": "TrendMicro-HouseCall", 176 | "av_name": "TrendMicro-HouseCall", 177 | "av_definition_version": "20170803", 178 | "scan_date": "2017-08-03 04:26:35", 179 | "av_engine_version": "9.950.0.1006", 180 | "is_detected": true 181 | }, 182 | { 183 | "classification_name": "generic.ml", 184 | "av_vendor": "Paloalto", 185 | "av_name": "Paloalto", 186 | "av_definition_version": "20170803", 187 | "scan_date": "2017-08-03 04:26:35", 188 | "av_engine_version": "1.0", 189 | "is_detected": true 190 | }, 191 | { 192 | "classification_name": "Win.Trojan.NCX-1", 193 | "av_vendor": "ClamAV", 194 | "av_name": "ClamAV", 195 | "av_definition_version": "20170803", 196 | "scan_date": "2017-08-03 04:26:35", 197 | "av_engine_version": "0.99.2.0", 198 | "is_detected": true 199 | }, 200 | { 201 | "classification_name": "not-a-virus:RemoteAdmin.Win32.NetCat.alj", 202 | "av_vendor": "Kaspersky", 203 | "av_name": "Kaspersky", 204 | "av_definition_version": "20170803", 205 | "scan_date": "2017-08-03 04:26:35", 206 | "av_engine_version": "15.0.1.13", 207 | "is_detected": true 208 | }, 209 | { 210 | "classification_name": null, 211 | "av_vendor": "BitDefender", 212 | "av_name": "BitDefender", 213 | "av_definition_version": "20170803", 214 | "scan_date": "2017-08-03 04:26:35", 215 | "av_engine_version": "7.2", 216 | "is_detected": false 217 | }, 218 | { 219 | "classification_name": "Trojan.Win32.Ncx.eplb", 220 | "av_vendor": "NANO-Antivirus", 221 | "av_name": "NANO-Antivirus", 222 | "av_definition_version": "20170803", 223 | "scan_date": "2017-08-03 04:26:35", 224 | "av_engine_version": "1.0.94.18103", 225 | "is_detected": true 226 | }, 227 | { 228 | "classification_name": "RemoteAdmin.NetCat.59392", 229 | "av_vendor": "ViRobot", 230 | "av_name": "ViRobot", 231 | "av_definition_version": "20170803", 232 | "scan_date": "2017-08-03 04:26:35", 233 | "av_engine_version": "2014.3.20.0", 234 | "is_detected": true 235 | }, 236 | { 237 | "classification_name": null, 238 | "av_vendor": "SUPERAntiSpyware", 239 | "av_name": "SUPERAntiSpyware", 240 | "av_definition_version": "20170803", 241 | "scan_date": "2017-08-03 04:26:35", 242 | "av_engine_version": "5.6.0.1032", 243 | "is_detected": false 244 | }, 245 | { 246 | "classification_name": "Backdoor.Ncx.b (ktse)", 247 | "av_vendor": "Rising", 248 | "av_name": "Rising", 249 | "av_definition_version": "20170803", 250 | "scan_date": "2017-08-03 04:26:35", 251 | "av_engine_version": "25.0.0.1", 252 | "is_detected": true 253 | }, 254 | { 255 | "classification_name": null, 256 | "av_vendor": "Ad-Aware", 257 | "av_name": "Ad-Aware", 258 | "av_definition_version": "20170803", 259 | "scan_date": "2017-08-03 04:26:35", 260 | "av_engine_version": "3.0.3.1010", 261 | "is_detected": false 262 | }, 263 | { 264 | "classification_name": "NetCat (PUA)", 265 | "av_vendor": "Sophos", 266 | "av_name": "Sophos", 267 | "av_definition_version": "20170803", 268 | "scan_date": "2017-08-03 04:26:35", 269 | "av_engine_version": "4.98.0", 270 | "is_detected": true 271 | }, 272 | { 273 | "classification_name": null, 274 | "av_vendor": "Comodo", 275 | "av_name": "Comodo", 276 | "av_definition_version": "20170803", 277 | "scan_date": "2017-08-03 04:26:35", 278 | "av_engine_version": null, 279 | "is_detected": false 280 | }, 281 | { 282 | "classification_name": null, 283 | "av_vendor": "F-Secure", 284 | "av_name": "F-Secure", 285 | "av_definition_version": "20170803", 286 | "scan_date": "2017-08-03 04:26:35", 287 | "av_engine_version": "11.0.19100.45", 288 | "is_detected": false 289 | }, 290 | { 291 | "classification_name": "Tool.Netcat.327", 292 | "av_vendor": "DrWeb", 293 | "av_name": "DrWeb", 294 | "av_definition_version": "20170803", 295 | "scan_date": "2017-08-03 04:26:35", 296 | "av_engine_version": "7.0.28.2020", 297 | "is_detected": true 298 | }, 299 | { 300 | "classification_name": "Adware.MultiPlug.Win32.498770", 301 | "av_vendor": "Zillya", 302 | "av_name": "Zillya", 303 | "av_definition_version": "20170802", 304 | "scan_date": "2017-08-03 04:26:35", 305 | "av_engine_version": "2.0.0.3351", 306 | "is_detected": true 307 | }, 308 | { 309 | "classification_name": "HKTL_NETCAT", 310 | "av_vendor": "TrendMicro", 311 | "av_name": "TrendMicro", 312 | "av_definition_version": "20170803", 313 | "scan_date": "2017-08-03 04:26:35", 314 | "av_engine_version": "9.862.0.1074", 315 | "is_detected": true 316 | }, 317 | { 318 | "classification_name": null, 319 | "av_vendor": "McAfee-GW-Edition", 320 | "av_name": "McAfee-GW-Edition", 321 | "av_definition_version": "20170803", 322 | "scan_date": "2017-08-03 04:26:35", 323 | "av_engine_version": "v2015", 324 | "is_detected": false 325 | }, 326 | { 327 | "classification_name": null, 328 | "av_vendor": "Emsisoft", 329 | "av_name": "Emsisoft", 330 | "av_definition_version": "20170803", 331 | "scan_date": "2017-08-03 04:26:35", 332 | "av_engine_version": "4.0.1.883", 333 | "is_detected": false 334 | }, 335 | { 336 | "classification_name": null, 337 | "av_vendor": "SentinelOne", 338 | "av_name": "SentinelOne", 339 | "av_definition_version": "20170718", 340 | "scan_date": "2017-08-03 04:26:35", 341 | "av_engine_version": "1.0.1.223", 342 | "is_detected": false 343 | }, 344 | { 345 | "classification_name": null, 346 | "av_vendor": "F-Prot", 347 | "av_name": "F-Prot", 348 | "av_definition_version": "20170803", 349 | "scan_date": "2017-08-03 04:26:35", 350 | "av_engine_version": "4.7.1.166", 351 | "is_detected": false 352 | }, 353 | { 354 | "classification_name": "Hacktool.Nc", 355 | "av_vendor": "Jiangmin", 356 | "av_name": "Jiangmin", 357 | "av_definition_version": "20170803", 358 | "scan_date": "2017-08-03 04:26:35", 359 | "av_engine_version": "16.0.100", 360 | "is_detected": true 361 | }, 362 | { 363 | "classification_name": "W32.Trojan.Orsam", 364 | "av_vendor": "Webroot", 365 | "av_name": "Webroot", 366 | "av_definition_version": "20170803", 367 | "scan_date": "2017-08-03 04:26:35", 368 | "av_engine_version": "1.0.0.207", 369 | "is_detected": true 370 | }, 371 | { 372 | "classification_name": "SPR/RemoteAdmin.Net", 373 | "av_vendor": "Avira", 374 | "av_name": "Avira", 375 | "av_definition_version": "20170802", 376 | "scan_date": "2017-08-03 04:26:35", 377 | "av_engine_version": "8.3.3.4", 378 | "is_detected": true 379 | }, 380 | { 381 | "classification_name": "Riskware/NetCat", 382 | "av_vendor": "Fortinet", 383 | "av_name": "Fortinet", 384 | "av_definition_version": "20170803", 385 | "scan_date": "2017-08-03 04:26:35", 386 | "av_engine_version": "5.4.247.0", 387 | "is_detected": true 388 | }, 389 | { 390 | "classification_name": "RiskWare[RemoteAdmin]/Win32.NetCat.alj", 391 | "av_vendor": "Antiy-AVL", 392 | "av_name": "Antiy-AVL", 393 | "av_definition_version": "20170803", 394 | "scan_date": "2017-08-03 04:26:35", 395 | "av_engine_version": "3.0.0.1", 396 | "is_detected": true 397 | }, 398 | { 399 | "classification_name": "Win32.RiskWare.NetCat.(kcloud)", 400 | "av_vendor": "Kingsoft", 401 | "av_name": "Kingsoft", 402 | "av_definition_version": "20170803", 403 | "scan_date": "2017-08-03 04:26:35", 404 | "av_engine_version": "2013.8.14.323", 405 | "is_detected": true 406 | }, 407 | { 408 | "classification_name": "malicious (high confidence)", 409 | "av_vendor": "Endgame", 410 | "av_name": "Endgame", 411 | "av_definition_version": "20170721", 412 | "scan_date": "2017-08-03 04:26:35", 413 | "av_engine_version": "0.7.6", 414 | "is_detected": true 415 | }, 416 | { 417 | "classification_name": null, 418 | "av_vendor": "Arcabit", 419 | "av_name": "Arcabit", 420 | "av_definition_version": "20170803", 421 | "scan_date": "2017-08-03 04:26:35", 422 | "av_engine_version": "1.0.0.817", 423 | "is_detected": false 424 | }, 425 | { 426 | "classification_name": null, 427 | "av_vendor": "AegisLab", 428 | "av_name": "AegisLab", 429 | "av_definition_version": "20170803", 430 | "scan_date": "2017-08-03 04:26:35", 431 | "av_engine_version": "4.2", 432 | "is_detected": false 433 | }, 434 | { 435 | "classification_name": "not-a-virus:RemoteAdmin.Win32.NetCat.alj", 436 | "av_vendor": "ZoneAlarm", 437 | "av_name": "ZoneAlarm", 438 | "av_definition_version": "20170803", 439 | "scan_date": "2017-08-03 04:26:35", 440 | "av_engine_version": "1.0", 441 | "is_detected": true 442 | }, 443 | { 444 | "classification_name": null, 445 | "av_vendor": "Microsoft", 446 | "av_name": "Microsoft", 447 | "av_definition_version": "20170803", 448 | "scan_date": "2017-08-03 04:26:35", 449 | "av_engine_version": "1.1.14003.0", 450 | "is_detected": false 451 | }, 452 | { 453 | "classification_name": "Win-AppCare/NTSniff_v110", 454 | "av_vendor": "AhnLab-V3", 455 | "av_name": "AhnLab-V3", 456 | "av_definition_version": "20170802", 457 | "scan_date": "2017-08-03 04:26:35", 458 | "av_engine_version": "3.9.2.18278", 459 | "is_detected": true 460 | }, 461 | { 462 | "classification_name": null, 463 | "av_vendor": "McAfee", 464 | "av_name": "McAfee", 465 | "av_definition_version": "20170803", 466 | "scan_date": "2017-08-03 04:26:35", 467 | "av_engine_version": "6.0.6.653", 468 | "is_detected": false 469 | }, 470 | { 471 | "classification_name": "Trojan.Win32.Generic!BT", 472 | "av_vendor": "AVware", 473 | "av_name": "AVware", 474 | "av_definition_version": "20170803", 475 | "scan_date": "2017-08-03 04:26:35", 476 | "av_engine_version": "1.5.0.42", 477 | "is_detected": true 478 | }, 479 | { 480 | "classification_name": null, 481 | "av_vendor": "MAX", 482 | "av_name": "MAX", 483 | "av_definition_version": "20170803", 484 | "scan_date": "2017-08-03 04:26:35", 485 | "av_engine_version": "2017.6.26.1", 486 | "is_detected": false 487 | }, 488 | { 489 | "classification_name": null, 490 | "av_vendor": "VBA32", 491 | "av_name": "VBA32", 492 | "av_definition_version": "20170801", 493 | "scan_date": "2017-08-03 04:26:35", 494 | "av_engine_version": "3.12.26.4", 495 | "is_detected": false 496 | }, 497 | { 498 | "classification_name": "Backdoor.NetCat", 499 | "av_vendor": "Malwarebytes", 500 | "av_name": "Malwarebytes", 501 | "av_definition_version": "20170803", 502 | "scan_date": "2017-08-03 04:26:35", 503 | "av_engine_version": "2.1.1.1115", 504 | "is_detected": true 505 | }, 506 | { 507 | "classification_name": null, 508 | "av_vendor": "WhiteArmor", 509 | "av_name": "WhiteArmor", 510 | "av_definition_version": "20170731", 511 | "scan_date": "2017-08-03 04:26:35", 512 | "av_engine_version": null, 513 | "is_detected": false 514 | }, 515 | { 516 | "classification_name": null, 517 | "av_vendor": "Panda", 518 | "av_name": "Panda", 519 | "av_definition_version": "20170802", 520 | "scan_date": "2017-08-03 04:26:35", 521 | "av_engine_version": "4.6.4.2", 522 | "is_detected": false 523 | }, 524 | { 525 | "classification_name": null, 526 | "av_vendor": "Zoner", 527 | "av_name": "Zoner", 528 | "av_definition_version": "20170803", 529 | "scan_date": "2017-08-03 04:26:35", 530 | "av_engine_version": "1.0", 531 | "is_detected": false 532 | }, 533 | { 534 | "classification_name": "Win32/RemoteAdmin potentially unsafe", 535 | "av_vendor": "ESET-NOD32", 536 | "av_name": "ESET-NOD32", 537 | "av_definition_version": "20170803", 538 | "scan_date": "2017-08-03 04:26:35", 539 | "av_engine_version": "15852", 540 | "is_detected": true 541 | }, 542 | { 543 | "classification_name": null, 544 | "av_vendor": "Tencent", 545 | "av_name": "Tencent", 546 | "av_definition_version": "20170803", 547 | "scan_date": "2017-08-03 04:26:35", 548 | "av_engine_version": "1.0.0.1", 549 | "is_detected": false 550 | }, 551 | { 552 | "classification_name": null, 553 | "av_vendor": "Yandex", 554 | "av_name": "Yandex", 555 | "av_definition_version": "20170801", 556 | "scan_date": "2017-08-03 04:26:35", 557 | "av_engine_version": "5.5.1.3", 558 | "is_detected": false 559 | }, 560 | { 561 | "classification_name": null, 562 | "av_vendor": "Ikarus", 563 | "av_name": "Ikarus", 564 | "av_definition_version": "20170802", 565 | "scan_date": "2017-08-03 04:26:35", 566 | "av_engine_version": "0.1.5.2", 567 | "is_detected": false 568 | }, 569 | { 570 | "classification_name": "Win32.Riskware.NetCat.C", 571 | "av_vendor": "GData", 572 | "av_name": "GData", 573 | "av_definition_version": "20170803", 574 | "scan_date": "2017-08-03 04:26:35", 575 | "av_engine_version": "A:25.13663B:25.10145", 576 | "is_detected": true 577 | }, 578 | { 579 | "classification_name": null, 580 | "av_vendor": "AVG", 581 | "av_name": "AVG", 582 | "av_definition_version": "20170803", 583 | "scan_date": "2017-08-03 04:26:35", 584 | "av_engine_version": "8.0.1489.320", 585 | "is_detected": false 586 | }, 587 | { 588 | "classification_name": null, 589 | "av_vendor": "Avast", 590 | "av_name": "Avast", 591 | "av_definition_version": "20170803", 592 | "scan_date": "2017-08-03 04:26:35", 593 | "av_engine_version": "8.0.1489.320", 594 | "is_detected": false 595 | }, 596 | { 597 | "classification_name": null, 598 | "av_vendor": "CrowdStrike", 599 | "av_name": "CrowdStrike", 600 | "av_definition_version": "20170710", 601 | "scan_date": "2017-08-03 04:26:35", 602 | "av_engine_version": "1.0", 603 | "is_detected": false 604 | }, 605 | { 606 | "classification_name": "Trojan.Generic", 607 | "av_vendor": "Qihoo-360", 608 | "av_name": "Qihoo-360", 609 | "av_definition_version": "20170803", 610 | "scan_date": "2017-08-03 04:26:35", 611 | "av_engine_version": "1.0.0.1120", 612 | "is_detected": true 613 | } 614 | ] 615 | } 616 | } 617 | } 618 | } -------------------------------------------------------------------------------- /examples/vt-to-maec-output-2.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "package", 3 | "id": "package--aacfa2fb-4507-4f6a-b1ae-473f6500e497", 4 | "schema_version": "5.0", 5 | "maec_objects": [ 6 | { 7 | "type": "malware-instance", 8 | "id": "malware-instance--c0e6d9f9-bc93-47c7-9039-de836aa26b1f", 9 | "instance_object_refs": ["0"], 10 | "analysis_metadata": [ 11 | { 12 | "analysis_type": "static", 13 | "is_automated": true, 14 | "description": "Created by VirusTotal to MAEC (http://github.com/MAECProject/vt-to-maec)" 15 | } 16 | ] 17 | } 18 | ], 19 | "observable_objects": { 20 | "0": { 21 | "hashes": { 22 | "SHA-256": "a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86", 23 | "SHA-1": "ec932d26a059a188af6320b8ca76ce6e609f4878", 24 | "MD5": "0762764e298c369a2de8afaec5174ed9" 25 | }, 26 | "type": "file", 27 | "extensions": { 28 | "x-maec-avclass": [ 29 | { 30 | "classification_name": null, 31 | "av_vendor": "Bkav", 32 | "av_name": "Bkav", 33 | "av_definition_version": "20170802", 34 | "scan_date": "2017-08-03 05:11:58", 35 | "av_engine_version": "1.3.0.9282", 36 | "is_detected": false 37 | }, 38 | { 39 | "classification_name": "Application.Fgdump.C", 40 | "av_vendor": "MicroWorld-eScan", 41 | "av_name": "MicroWorld-eScan", 42 | "av_definition_version": "20170803", 43 | "scan_date": "2017-08-03 05:11:58", 44 | "av_engine_version": "12.0.250.0", 45 | "is_detected": true 46 | }, 47 | { 48 | "classification_name": "Trojan/W32.Agent.974848.K", 49 | "av_vendor": "nProtect", 50 | "av_name": "nProtect", 51 | "av_definition_version": "20170803", 52 | "scan_date": "2017-08-03 05:11:58", 53 | "av_engine_version": "2017-08-03.01", 54 | "is_detected": true 55 | }, 56 | { 57 | "classification_name": "PSWTool.Win32.PWDump!O", 58 | "av_vendor": "CMC", 59 | "av_name": "CMC", 60 | "av_definition_version": "20170803", 61 | "scan_date": "2017-08-03 05:11:58", 62 | "av_engine_version": "1.1.0.977", 63 | "is_detected": true 64 | }, 65 | { 66 | "classification_name": "PSWTool.PWDump", 67 | "av_vendor": "CAT-QuickHeal", 68 | "av_name": "CAT-QuickHeal", 69 | "av_definition_version": "20170802", 70 | "scan_date": "2017-08-03 05:11:58", 71 | "av_engine_version": "14.00", 72 | "is_detected": true 73 | }, 74 | { 75 | "classification_name": null, 76 | "av_vendor": "ALYac", 77 | "av_name": "ALYac", 78 | "av_definition_version": "20170803", 79 | "scan_date": "2017-08-03 05:11:58", 80 | "av_engine_version": "1.1.1.2", 81 | "is_detected": false 82 | }, 83 | { 84 | "classification_name": "Unsafe", 85 | "av_vendor": "Cylance", 86 | "av_name": "Cylance", 87 | "av_definition_version": "20170803", 88 | "scan_date": "2017-08-03 05:11:58", 89 | "av_engine_version": "2.3.1.101", 90 | "is_detected": true 91 | }, 92 | { 93 | "classification_name": "Trojan.Win32.Generic!BT", 94 | "av_vendor": "VIPRE", 95 | "av_name": "VIPRE", 96 | "av_definition_version": "20170803", 97 | "scan_date": "2017-08-03 05:11:58", 98 | "av_engine_version": "60016", 99 | "is_detected": true 100 | }, 101 | { 102 | "classification_name": "Trojan/Genome.amdm", 103 | "av_vendor": "TheHacker", 104 | "av_name": "TheHacker", 105 | "av_definition_version": "20170801", 106 | "scan_date": "2017-08-03 05:11:58", 107 | "av_engine_version": "6.8.0.5.1794", 108 | "is_detected": true 109 | }, 110 | { 111 | "classification_name": "Unwanted-Program ( 004bc6341 )", 112 | "av_vendor": "K7GW", 113 | "av_name": "K7GW", 114 | "av_definition_version": "20170803", 115 | "scan_date": "2017-08-03 05:11:58", 116 | "av_engine_version": "10.20.24176", 117 | "is_detected": true 118 | }, 119 | { 120 | "classification_name": "Unwanted-Program ( 004bc6341 )", 121 | "av_vendor": "K7AntiVirus", 122 | "av_name": "K7AntiVirus", 123 | "av_definition_version": "20170802", 124 | "scan_date": "2017-08-03 05:11:58", 125 | "av_engine_version": "10.20.24175", 126 | "is_detected": true 127 | }, 128 | { 129 | "classification_name": "Application.Fgdump.C", 130 | "av_vendor": "Arcabit", 131 | "av_name": "Arcabit", 132 | "av_definition_version": "20170803", 133 | "scan_date": "2017-08-03 05:11:58", 134 | "av_engine_version": "1.0.0.817", 135 | "is_detected": true 136 | }, 137 | { 138 | "classification_name": "HKTL_FGDUMP", 139 | "av_vendor": "TrendMicro", 140 | "av_name": "TrendMicro", 141 | "av_definition_version": "20170803", 142 | "scan_date": "2017-08-03 05:11:58", 143 | "av_engine_version": "9.862.0.1074", 144 | "is_detected": true 145 | }, 146 | { 147 | "classification_name": "Win32.Trojan.WisdomEyes.16070401.9500.9967", 148 | "av_vendor": "Baidu", 149 | "av_name": "Baidu", 150 | "av_definition_version": "20170803", 151 | "scan_date": "2017-08-03 05:11:58", 152 | "av_engine_version": "1.0.0.2", 153 | "is_detected": true 154 | }, 155 | { 156 | "classification_name": "W32/MalwareF.GRJJ", 157 | "av_vendor": "F-Prot", 158 | "av_name": "F-Prot", 159 | "av_definition_version": "20170803", 160 | "scan_date": "2017-08-03 05:11:58", 161 | "av_engine_version": "4.7.1.166", 162 | "is_detected": true 163 | }, 164 | { 165 | "classification_name": "Hacktool", 166 | "av_vendor": "Symantec", 167 | "av_name": "Symantec", 168 | "av_definition_version": "20170802", 169 | "scan_date": "2017-08-03 05:11:58", 170 | "av_engine_version": "1.4.1.0", 171 | "is_detected": true 172 | }, 173 | { 174 | "classification_name": null, 175 | "av_vendor": "TotalDefense", 176 | "av_name": "TotalDefense", 177 | "av_definition_version": "20170803", 178 | "scan_date": "2017-08-03 05:11:58", 179 | "av_engine_version": "37.1.62.1", 180 | "is_detected": false 181 | }, 182 | { 183 | "classification_name": "HKTL_FGDUMP", 184 | "av_vendor": "TrendMicro-HouseCall", 185 | "av_name": "TrendMicro-HouseCall", 186 | "av_definition_version": "20170803", 187 | "scan_date": "2017-08-03 05:11:58", 188 | "av_engine_version": "9.950.0.1006", 189 | "is_detected": true 190 | }, 191 | { 192 | "classification_name": "Win32:PUP-gen [PUP]", 193 | "av_vendor": "Avast", 194 | "av_name": "Avast", 195 | "av_definition_version": "20170803", 196 | "scan_date": "2017-08-03 05:11:58", 197 | "av_engine_version": "8.0.1489.320", 198 | "is_detected": true 199 | }, 200 | { 201 | "classification_name": "Win.Tool.PWDump-33", 202 | "av_vendor": "ClamAV", 203 | "av_name": "ClamAV", 204 | "av_definition_version": "20170803", 205 | "scan_date": "2017-08-03 05:11:58", 206 | "av_engine_version": "0.99.2.0", 207 | "is_detected": true 208 | }, 209 | { 210 | "classification_name": "not-a-virus:PSWTool.Win32.PWDump.f", 211 | "av_vendor": "Kaspersky", 212 | "av_name": "Kaspersky", 213 | "av_definition_version": "20170803", 214 | "scan_date": "2017-08-03 05:11:58", 215 | "av_engine_version": "15.0.1.13", 216 | "is_detected": true 217 | }, 218 | { 219 | "classification_name": "Application.Fgdump.C", 220 | "av_vendor": "BitDefender", 221 | "av_name": "BitDefender", 222 | "av_definition_version": "20170803", 223 | "scan_date": "2017-08-03 05:11:58", 224 | "av_engine_version": "7.2", 225 | "is_detected": true 226 | }, 227 | { 228 | "classification_name": "Trojan.Win32.IRCBot.ifhwh", 229 | "av_vendor": "NANO-Antivirus", 230 | "av_name": "NANO-Antivirus", 231 | "av_definition_version": "20170803", 232 | "scan_date": "2017-08-03 05:11:58", 233 | "av_engine_version": "1.0.94.18103", 234 | "is_detected": true 235 | }, 236 | { 237 | "classification_name": "PSWTool.PWDump.974848.A", 238 | "av_vendor": "ViRobot", 239 | "av_name": "ViRobot", 240 | "av_definition_version": "20170803", 241 | "scan_date": "2017-08-03 05:11:58", 242 | "av_engine_version": "2014.3.20.0", 243 | "is_detected": true 244 | }, 245 | { 246 | "classification_name": "Hacktool.W32.Pwdump!c", 247 | "av_vendor": "AegisLab", 248 | "av_name": "AegisLab", 249 | "av_definition_version": "20170803", 250 | "scan_date": "2017-08-03 05:11:58", 251 | "av_engine_version": "4.2", 252 | "is_detected": true 253 | }, 254 | { 255 | "classification_name": "Trojan.Generic (cloud:juollPVQGpS)", 256 | "av_vendor": "Rising", 257 | "av_name": "Rising", 258 | "av_definition_version": "20170803", 259 | "scan_date": "2017-08-03 05:11:58", 260 | "av_engine_version": "25.0.0.1", 261 | "is_detected": true 262 | }, 263 | { 264 | "classification_name": "malicious (high confidence)", 265 | "av_vendor": "Endgame", 266 | "av_name": "Endgame", 267 | "av_definition_version": "20170721", 268 | "scan_date": "2017-08-03 05:11:58", 269 | "av_engine_version": "0.7.6", 270 | "is_detected": true 271 | }, 272 | { 273 | "classification_name": "Remote Process Execution Tool (PUA)", 274 | "av_vendor": "Sophos", 275 | "av_name": "Sophos", 276 | "av_definition_version": "20170803", 277 | "scan_date": "2017-08-03 05:11:58", 278 | "av_engine_version": "4.98.0", 279 | "is_detected": true 280 | }, 281 | { 282 | "classification_name": null, 283 | "av_vendor": "Comodo", 284 | "av_name": "Comodo", 285 | "av_definition_version": "20170803", 286 | "scan_date": "2017-08-03 05:11:58", 287 | "av_engine_version": "27547", 288 | "is_detected": false 289 | }, 290 | { 291 | "classification_name": "Trojan:W32/Agent.DRGD", 292 | "av_vendor": "F-Secure", 293 | "av_name": "F-Secure", 294 | "av_definition_version": "20170803", 295 | "scan_date": "2017-08-03 05:11:58", 296 | "av_engine_version": "11.0.19100.45", 297 | "is_detected": true 298 | }, 299 | { 300 | "classification_name": "Tool.Pwdump.78", 301 | "av_vendor": "DrWeb", 302 | "av_name": "DrWeb", 303 | "av_definition_version": "20170803", 304 | "scan_date": "2017-08-03 05:11:58", 305 | "av_engine_version": "7.0.28.2020", 306 | "is_detected": true 307 | }, 308 | { 309 | "classification_name": null, 310 | "av_vendor": "Zillya", 311 | "av_name": "Zillya", 312 | "av_definition_version": "20170802", 313 | "scan_date": "2017-08-03 05:11:58", 314 | "av_engine_version": "2.0.0.3351", 315 | "is_detected": false 316 | }, 317 | { 318 | "classification_name": "heuristic", 319 | "av_vendor": "Invincea", 320 | "av_name": "Invincea", 321 | "av_definition_version": "20170607", 322 | "scan_date": "2017-08-03 05:11:58", 323 | "av_engine_version": "6.3.0.25415", 324 | "is_detected": true 325 | }, 326 | { 327 | "classification_name": "RDN/Generic PUP.z", 328 | "av_vendor": "McAfee-GW-Edition", 329 | "av_name": "McAfee-GW-Edition", 330 | "av_definition_version": "20170803", 331 | "scan_date": "2017-08-03 05:11:58", 332 | "av_engine_version": "v2015", 333 | "is_detected": true 334 | }, 335 | { 336 | "classification_name": "Application.Fgdump.C (B)", 337 | "av_vendor": "Emsisoft", 338 | "av_name": "Emsisoft", 339 | "av_definition_version": "20170803", 340 | "scan_date": "2017-08-03 05:11:58", 341 | "av_engine_version": "4.0.1.883", 342 | "is_detected": true 343 | }, 344 | { 345 | "classification_name": "Trojan-Dropper.Agent", 346 | "av_vendor": "Ikarus", 347 | "av_name": "Ikarus", 348 | "av_definition_version": "20170802", 349 | "scan_date": "2017-08-03 05:11:58", 350 | "av_engine_version": "0.1.5.2", 351 | "is_detected": true 352 | }, 353 | { 354 | "classification_name": "W32/Risk.DMYL-3435", 355 | "av_vendor": "Cyren", 356 | "av_name": "Cyren", 357 | "av_definition_version": "20170803", 358 | "scan_date": "2017-08-03 05:11:58", 359 | "av_engine_version": "5.4.30.7", 360 | "is_detected": true 361 | }, 362 | { 363 | "classification_name": "Trojan/Genome.nvo", 364 | "av_vendor": "Jiangmin", 365 | "av_name": "Jiangmin", 366 | "av_definition_version": "20170803", 367 | "scan_date": "2017-08-03 05:11:58", 368 | "av_engine_version": "16.0.100", 369 | "is_detected": true 370 | }, 371 | { 372 | "classification_name": "W32.Hack.Tool", 373 | "av_vendor": "Webroot", 374 | "av_name": "Webroot", 375 | "av_definition_version": "20170803", 376 | "scan_date": "2017-08-03 05:11:58", 377 | "av_engine_version": "1.0.0.207", 378 | "is_detected": true 379 | }, 380 | { 381 | "classification_name": "SPR/Tool.174080.1", 382 | "av_vendor": "Avira", 383 | "av_name": "Avira", 384 | "av_definition_version": "20170802", 385 | "scan_date": "2017-08-03 05:11:58", 386 | "av_engine_version": "8.3.3.4", 387 | "is_detected": true 388 | }, 389 | { 390 | "classification_name": "Riskware/PWDump", 391 | "av_vendor": "Fortinet", 392 | "av_name": "Fortinet", 393 | "av_definition_version": "20170803", 394 | "scan_date": "2017-08-03 05:11:58", 395 | "av_engine_version": "5.4.247.0", 396 | "is_detected": true 397 | }, 398 | { 399 | "classification_name": "Trojan[PSWTool]/Win32.PWDump", 400 | "av_vendor": "Antiy-AVL", 401 | "av_name": "Antiy-AVL", 402 | "av_definition_version": "20170803", 403 | "scan_date": "2017-08-03 05:11:58", 404 | "av_engine_version": "3.0.0.1", 405 | "is_detected": true 406 | }, 407 | { 408 | "classification_name": null, 409 | "av_vendor": "Kingsoft", 410 | "av_name": "Kingsoft", 411 | "av_definition_version": "20170803", 412 | "scan_date": "2017-08-03 05:11:58", 413 | "av_engine_version": "2013.8.14.323", 414 | "is_detected": false 415 | }, 416 | { 417 | "classification_name": "HackTool:Win32/Fgdump", 418 | "av_vendor": "Microsoft", 419 | "av_name": "Microsoft", 420 | "av_definition_version": "20170803", 421 | "scan_date": "2017-08-03 05:11:58", 422 | "av_engine_version": "1.1.14003.0", 423 | "is_detected": true 424 | }, 425 | { 426 | "classification_name": "PUP.Fgdump/Variant", 427 | "av_vendor": "SUPERAntiSpyware", 428 | "av_name": "SUPERAntiSpyware", 429 | "av_definition_version": "20170803", 430 | "scan_date": "2017-08-03 05:11:58", 431 | "av_engine_version": "5.6.0.1032", 432 | "is_detected": true 433 | }, 434 | { 435 | "classification_name": "not-a-virus:HEUR:PSWTool.Win32.Generic", 436 | "av_vendor": "ZoneAlarm", 437 | "av_name": "ZoneAlarm", 438 | "av_definition_version": "20170803", 439 | "scan_date": "2017-08-03 05:11:58", 440 | "av_engine_version": "1.0", 441 | "is_detected": true 442 | }, 443 | { 444 | "classification_name": "Application.Fgdump.C", 445 | "av_vendor": "GData", 446 | "av_name": "GData", 447 | "av_definition_version": "20170803", 448 | "scan_date": "2017-08-03 05:11:58", 449 | "av_engine_version": "A:25.13663B:25.10145", 450 | "is_detected": true 451 | }, 452 | { 453 | "classification_name": null, 454 | "av_vendor": "AhnLab-V3", 455 | "av_name": "AhnLab-V3", 456 | "av_definition_version": "20170802", 457 | "scan_date": "2017-08-03 05:11:58", 458 | "av_engine_version": "3.9.2.18278", 459 | "is_detected": false 460 | }, 461 | { 462 | "classification_name": "RDN/Generic PUP.z", 463 | "av_vendor": "McAfee", 464 | "av_name": "McAfee", 465 | "av_definition_version": "20170803", 466 | "scan_date": "2017-08-03 05:11:58", 467 | "av_engine_version": "6.0.6.653", 468 | "is_detected": true 469 | }, 470 | { 471 | "classification_name": null, 472 | "av_vendor": "MAX", 473 | "av_name": "MAX", 474 | "av_definition_version": "20170803", 475 | "scan_date": "2017-08-03 05:11:58", 476 | "av_engine_version": "2017.6.26.1", 477 | "is_detected": false 478 | }, 479 | { 480 | "classification_name": "Trojan.Genome.am", 481 | "av_vendor": "VBA32", 482 | "av_name": "VBA32", 483 | "av_definition_version": "20170801", 484 | "scan_date": "2017-08-03 05:11:58", 485 | "av_engine_version": "3.12.26.4", 486 | "is_detected": true 487 | }, 488 | { 489 | "classification_name": "PUP.Optional.Fgdump", 490 | "av_vendor": "Malwarebytes", 491 | "av_name": "Malwarebytes", 492 | "av_definition_version": "20170803", 493 | "scan_date": "2017-08-03 05:11:58", 494 | "av_engine_version": "2.1.1.1115", 495 | "is_detected": true 496 | }, 497 | { 498 | "classification_name": null, 499 | "av_vendor": "WhiteArmor", 500 | "av_name": "WhiteArmor", 501 | "av_definition_version": "20170731", 502 | "scan_date": "2017-08-03 05:11:58", 503 | "av_engine_version": null, 504 | "is_detected": false 505 | }, 506 | { 507 | "classification_name": "Application/Pwdump.J", 508 | "av_vendor": "Panda", 509 | "av_name": "Panda", 510 | "av_definition_version": "20170802", 511 | "scan_date": "2017-08-03 05:11:58", 512 | "av_engine_version": "4.6.4.2", 513 | "is_detected": true 514 | }, 515 | { 516 | "classification_name": null, 517 | "av_vendor": "Zoner", 518 | "av_name": "Zoner", 519 | "av_definition_version": "20170803", 520 | "scan_date": "2017-08-03 05:11:58", 521 | "av_engine_version": "1.0", 522 | "is_detected": false 523 | }, 524 | { 525 | "classification_name": "Win32/PSWTool.Fgdump.A potentially unsafe", 526 | "av_vendor": "ESET-NOD32", 527 | "av_name": "ESET-NOD32", 528 | "av_definition_version": "20170803", 529 | "scan_date": "2017-08-03 05:11:58", 530 | "av_engine_version": "15852", 531 | "is_detected": true 532 | }, 533 | { 534 | "classification_name": "Win32.Hacktool.Pwdump.Eyc", 535 | "av_vendor": "Tencent", 536 | "av_name": "Tencent", 537 | "av_definition_version": "20170803", 538 | "scan_date": "2017-08-03 05:11:58", 539 | "av_engine_version": "1.0.0.1", 540 | "is_detected": true 541 | }, 542 | { 543 | "classification_name": "Trojan.Remhead!kSjPH6vydw0", 544 | "av_vendor": "Yandex", 545 | "av_name": "Yandex", 546 | "av_definition_version": "20170801", 547 | "scan_date": "2017-08-03 05:11:58", 548 | "av_engine_version": "5.5.1.3", 549 | "is_detected": true 550 | }, 551 | { 552 | "classification_name": "static engine - malicious", 553 | "av_vendor": "SentinelOne", 554 | "av_name": "SentinelOne", 555 | "av_definition_version": "20170718", 556 | "scan_date": "2017-08-03 05:11:58", 557 | "av_engine_version": "1.0.1.223", 558 | "is_detected": true 559 | }, 560 | { 561 | "classification_name": "Application.Fgdump.C", 562 | "av_vendor": "Ad-Aware", 563 | "av_name": "Ad-Aware", 564 | "av_definition_version": "20170803", 565 | "scan_date": "2017-08-03 05:11:58", 566 | "av_engine_version": "3.0.3.1010", 567 | "is_detected": true 568 | }, 569 | { 570 | "classification_name": "Win32:PUP-gen [PUP]", 571 | "av_vendor": "AVG", 572 | "av_name": "AVG", 573 | "av_definition_version": "20170803", 574 | "scan_date": "2017-08-03 05:11:58", 575 | "av_engine_version": "8.0.1489.320", 576 | "is_detected": true 577 | }, 578 | { 579 | "classification_name": null, 580 | "av_vendor": "Paloalto", 581 | "av_name": "Paloalto", 582 | "av_definition_version": "20170803", 583 | "scan_date": "2017-08-03 05:11:58", 584 | "av_engine_version": "1.0", 585 | "is_detected": false 586 | }, 587 | { 588 | "classification_name": null, 589 | "av_vendor": "CrowdStrike", 590 | "av_name": "CrowdStrike", 591 | "av_definition_version": "20170710", 592 | "scan_date": "2017-08-03 05:11:58", 593 | "av_engine_version": "1.0", 594 | "is_detected": false 595 | }, 596 | { 597 | "classification_name": "Win32/Virus.PSW.a4b", 598 | "av_vendor": "Qihoo-360", 599 | "av_name": "Qihoo-360", 600 | "av_definition_version": "20170803", 601 | "scan_date": "2017-08-03 05:11:58", 602 | "av_engine_version": "1.0.0.1120", 603 | "is_detected": true 604 | } 605 | ] 606 | } 607 | } 608 | } 609 | } -------------------------------------------------------------------------------- /external-reference.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": {"external-reference": { 4 | "title":"ExternalRefererence", 5 | "type": "object", 6 | "description": "External references are used to describe pointers to information represented outside of MAEC. For example, a Malware Instance object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.", 7 | "properties": { 8 | "source_name": { 9 | "type": "string", 10 | "description": "The source within which the external-reference is defined (system, registry, organization, etc.)." 11 | }, 12 | "description": { 13 | "type": "string", 14 | "description": "A human readable description." 15 | }, 16 | "url": { 17 | "type": "string", 18 | "format": "uri", 19 | "description": "A URL reference to an external resource [RFC3986]" 20 | }, 21 | "external_id": { 22 | "type": "string", 23 | "description": "An indentifier for the external reference content." 24 | } 25 | }, 26 | "required": ["source_name"] 27 | }} 28 | } -------------------------------------------------------------------------------- /field-data.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "field-data":{ 5 | "title": "FieldData", 6 | "type": "object", 7 | "description": "Captures field data with a malware instance or family. At least one of \"delivery_vectors\" or \"first_seen\" or \"last_seen\" MUST be included when using this type.", 8 | "properties": { 9 | "delivery_vectors": { 10 | "type": "array", 11 | "items": {"type": "string"}, 12 | "description": "Captures the vectors used to distribute/deploy the Malware Instance. The values for this property SHOULD come from the delivery-vector-ov vocabulary." 13 | }, 14 | "first_seen": { 15 | "type": "string", 16 | "format": "date-time", 17 | "description": "Captures the date/time that the malware instance was first seen by the producer of the Malware Instance Object." 18 | }, 19 | "last_seen": { 20 | "type": "string", 21 | "format": "date-time", 22 | "description": "Captures the date/time that the malware instance was last seen by producer of the Malware Instance Object." 23 | } 24 | }, 25 | "anyOf": [ 26 | {"required": ["delivery_vectors"]}, 27 | {"required": ["first_seen"]}, 28 | {"required": ["last_seen"]} 29 | ] 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /malware-action.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "malware-action": { 5 | "title": "MalwareAction", 6 | "type": "object", 7 | "description": "A Malware Action represents an abstraction on a system-level API call (or similar entity) called by the malware instance during its execution, and thereby corresponds to the lowest-level dynamic operation of the malware instance.", 8 | "properties": { 9 | "type": { 10 | "type": "string", 11 | "enum": ["malware-action"] 12 | }, 13 | "id": { 14 | "type": "string", 15 | "description": "Specifies a unique id for this Malware Action." 16 | }, 17 | "name": { 18 | "type": "string", 19 | "description": "Captures the name of Malware Action. The values for this property SHOULD come from the malware-action-ov vocabulary." 20 | }, 21 | "is_successful": { 22 | "type": "boolean", 23 | "description": "Specifies whether the Malware Action was successful in its execution." 24 | }, 25 | "description": { 26 | "type": "string", 27 | "description": "Captures a basic textual description of the Malware Action." 28 | }, 29 | "timestamp": { 30 | "type": "string", 31 | "format": "date-time", 32 | "description": "Captures the local or relative time at which the Malware Action occurred or was observed." 33 | }, 34 | "input_object_refs": { 35 | "type": "array", 36 | "items": {"type": "string"}, 37 | "description": "References STIX Observable Objects used as input to the Malware Action. The Object(s) referenced MUST be specified in the observable-objects property of the Package." 38 | }, 39 | "output_object_refs": { 40 | "type": "array", 41 | "items": {"type": "string"}, 42 | "description": "Specifies STIX Observable Objects resulting as output from the Malware Action. The Object(s) referenced MUST be specified in the observable-objects property of the Package." 43 | }, 44 | "api_call": { 45 | "type": "object", 46 | "items": {"$ref": "api-call.json#/definitions/api-call"}, 47 | "description": "Captures attributes of the specific API call that was used to implement the Malware Action." 48 | } 49 | }, 50 | "required": [ 51 | "id", 52 | "type", 53 | "name" 54 | ] 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /malware-development-environment.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "malware-development-environment": { 5 | "title": "MalwareDevelopmentEnvironment", 6 | "type": "object", 7 | "description": "Captures details of the development environment used in developing the malware instance, such as information on any tools that were used.", 8 | "properties": { 9 | "tool_refs": { 10 | "type": "array", 11 | "items": {"type": "string"}, 12 | "description": "References the tools used in the development of the malware instance. The Objects referenced MUST be of STIX type software and MUST be specified in the observable_objects property of the Package." 13 | }, 14 | "debugging_file_refs": { 15 | "type": "array", 16 | "items": {"type": "string"}, 17 | "description": "References debugging files associated with the malware instance, such as PDB files. The Objects referenced MUST be of STIX type file and MUST be specified in the observable_objects property of the Package." 18 | } 19 | }, 20 | "anyOf": [ 21 | {"required": ["tool_refs"]}, 22 | {"required": ["debugging_file_refs"]} 23 | ] 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /malware-family.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": {"malware-family": { 4 | "title": "MalwareFamily", 5 | "type": "object", 6 | "description": "A set of malware instances that are related by common authorship and/or lineage. Malware Families are often named and may have components such as strings that are common across all members of the family.", 7 | "properties": { 8 | "type": { 9 | "type": "string", 10 | "enum": ["malware-family"] 11 | }, 12 | "id": { 13 | "type": "string", 14 | "description": "Specifies a unique id for the Malware Family" 15 | }, 16 | "name": { 17 | "$ref": "name.json#/definitions/name", 18 | "description": "Captures a name of the Malware Family, as specified by the producer of the MAEC package." 19 | }, 20 | "aliases": { 21 | "type": "array", 22 | "items": {"$ref": "name.json#/definitions/name"}, 23 | "minItems": 1, 24 | "description": "Captures aliases for the Malware Family. For cases where the alias comes from an external source, the name of the source SHOULD be provided." 25 | }, 26 | "labels": { 27 | "type": "array", 28 | "items": {"type": "string"}, 29 | "description": "Specifies a single commonly accepted label to describe the members of the Malware Family, e.g. \"worm\". The values for this property SHOULD come from the malware-label-ov vocabulary." 30 | }, 31 | "description": { 32 | "type": "string", 33 | "description": "Captures a basic, textual description of the Malware Family." 34 | }, 35 | "field_data": { 36 | "$ref": "field-data.json#/definitions/field-data", 37 | "description": "Specifies field data about the Malware Family, such as first seen and last seen dates." 38 | }, 39 | "common_strings": { 40 | "type": "array", 41 | "items": {"type": "string"}, 42 | "description": "Specifies any strings common to all members of the Malware Family." 43 | }, 44 | "common_capabilities": { 45 | "type": "array", 46 | "description": "Specifies a set of one or more Capabilities that are common to all members of the Malware Family.", 47 | "items": {"$ref": "capability.json#/definitions/capability"} 48 | }, 49 | "common_code_refs": { 50 | "type": "array", 51 | "items": {"type": "string"}, 52 | "description": "References code snippets that are shared between all of the members of the Malware Family. The Object(s) referenced MUST be of STIX type artifact and MUST be specified in the observable-objects property of the Package." 53 | }, 54 | "common_behavior_refs": { 55 | "type": "array", 56 | "items": {"type": "string"}, 57 | "description": "Specifies a set of one or more Behaviors that are common to all of the members of the Malware Family. Each item specifies a unique ID of the Behavior being referenced." 58 | }, 59 | "references": { 60 | "type": "array", 61 | "items": {"$ref": "external-reference.json#/definitions/external-reference"}, 62 | "description": "Specifies a set of one or more external references to the Malware Family." 63 | } 64 | }, 65 | "required": [ 66 | "type", 67 | "id", 68 | "name" 69 | ] 70 | }} 71 | } 72 | -------------------------------------------------------------------------------- /malware-instance.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "malware-instance": { 5 | "title": "MalwareInstance", 6 | "type": "object", 7 | "description": "A Malware Instance can be thought of as a single member of a Malware Family that is typically packaged as a binary. ", 8 | "properties": { 9 | "type": { 10 | "type": "string", 11 | "enum": ["malware-instance"] 12 | }, 13 | "id": { 14 | "type": "string", 15 | "description": "Specifies a unique ID for this Malware Instance." 16 | }, 17 | "instance_object_refs": { 18 | "type": "array", 19 | "items": {"type": "string"}, 20 | "description": "References the Cyber Observable Objects that characterize the packaged code (typically a binary) associated with the Malware Instance Object. For most use cases, the object referenced SHOULD be of STIX Cyber Observable type file. Objects referenced MUST be specified in the observable_objects property of the Package." 21 | }, 22 | "name": { 23 | "$ref": "name.json#/definitions/name", 24 | "description": "Captures the name of the malware instance characterized by the Malware Instance. These names are assigned by the producer of the MAEC document, and may come from various sources, including from an analyst or as reported by a tool (e.g., an AV classification tool)." 25 | }, 26 | "aliases": { 27 | "type": "array", 28 | "items": {"$ref": "name.json#/definitions/name"}, 29 | "description": "Captures any aliases for the malware instance name associated with the Malware Instance, as reported by sources other than the producer of the MAEC document (e.g., AV vendors)." 30 | }, 31 | "labels": { 32 | "type": "array", 33 | "items": {"type": "string"}, 34 | "description": "Specifies commonly accepted labels used to describe the Malware Instance, e.g. \\“worm.\\” The values for this property SHOULD come from the malware-label-ov vocabulary." 35 | }, 36 | "description": { 37 | "type": "string", 38 | "description": "Captures a basic, textual description of the Malware Instance." 39 | }, 40 | "field_data":{ 41 | "$ref": "field-data.json#/definitions/field-data", 42 | "description": "Specifies general metadata about the Malware Instance (e.g. first seen and last seen dates)." 43 | }, 44 | "os_execution_envs": { 45 | "type": "array", 46 | "items": {"type": "string"}, 47 | "description": "Specifies the operating systems that the Malware Instance executes on. The values for this property SHOULD come from the operating-system-ov vocabulary." 48 | }, 49 | "architecture_execution_envs": { 50 | "type": "array", 51 | "items":{"type": "string"}, 52 | "description": "Specifies the processor architectures that the Malware Instance executes on. The values for this property SHOULD come from the processor-architecture-ov vocabulary." 53 | }, 54 | "capabilities":{ 55 | "type": "array", 56 | "items":{"$ref": "capability.json#/definitions/capability"}, 57 | "description": "Specifies a set of one or more Capabilities possessed by the Malware Instance." 58 | }, 59 | "os_features":{ 60 | "type": "array", 61 | "items":{"type": "string"}, 62 | "description": "Specifies any operating system-specific features used by the malware instance. Each item in the list specifies a single feature. The values for this property SHOULD come from the os-features-android-ov, os-features-ios-ov, os-features-linux-ov, os-features-macosx-ov or os-features-windows-ov vocabularies" 63 | }, 64 | "dynamic_features":{ 65 | "$ref": "dynamic-features.json#/definitions/dynamic-features", 66 | "description": "Captures features associated with the semantics of the code executed by the Malware Instance. Note that DynamicFeaturesType captures multiple features." 67 | }, 68 | "static_features":{ 69 | "$ref": "static-features.json#/definitions/static-features", 70 | "description": "Captures features associated with the binary that aren’t related to the semantics of the code (e.g., strings, packer information). Note that StaticFeaturesType captures multiple static features." 71 | }, 72 | "analysis_metadata": { 73 | "type": "array", 74 | "items": {"$ref": "analysis-metadata.json#/definitions/analysis-metadata"}, 75 | "description": "Captures metadata associated with the analyses performed on the Malware Instance (e.g., the tools that were used)." 76 | }, 77 | "triggered_signatures": { 78 | "type": "array", 79 | "items": {"$ref": "signature-metadata.json#/definitions/signature-metadata"}, 80 | "description": "Captures metadata associated with any signatures or rule (e.g. YARA) that were triggered during the analysis of the malware instance." 81 | } 82 | }, 83 | "required": [ 84 | "type", 85 | "id", 86 | "instance_object_refs" 87 | ] 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /name.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "name": { 5 | "title": "Name", 6 | "type": "object", 7 | "description": "Captures the name of a malware instance, family, or alias, as well as the source and relative confidence in the name.", 8 | "properties": { 9 | "value": { 10 | "type": "string", 11 | "description": "Captures the name of the malware instance or malware family." 12 | }, 13 | "source":{ 14 | "$ref": "external-reference.json#/definitions/external-reference", 15 | "description": "Captures the source of the value property (i.e., the name)." 16 | }, 17 | "confidence": { 18 | "type": "string", 19 | "description": "Captures the relative confidence in the accuracy of the assigned name. The value for this property SHOULD come from the confidence-measure-ov vocabulary." 20 | } 21 | }, 22 | "required": ["value"] 23 | } 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": {"package": { 4 | "title": "Package", 5 | "type": "object", 6 | "description": "The standard output format that can be used to capture one or more Malware Instances or Malware Families and the entities associated with them: Capabilities, Behaviors, Actions, Cyber Observable Objects, and Collections and Relationships.", 7 | "properties": { 8 | "type":{ 9 | "type": "string", 10 | "enum":["package"], 11 | "description": "The value of this field MUST be \"package\"." 12 | }, 13 | "id": { 14 | "type": "string", 15 | "description": "Specifies a unique ID for this Package." 16 | }, 17 | "schema_version": { 18 | "type": "string", 19 | "enum": ["5.0"], 20 | "description": "Specifies the version of the MAEC specification used to represent the content in this Package. The value of this property MUST be 5.0 for Packages containing MAEC Objects defined in this specification." 21 | }, 22 | "maec_objects": { 23 | "type": "array", 24 | "items": { 25 | "anyOf": [ 26 | {"$ref": "behavior.json#/definitions/behavior"}, 27 | {"$ref": "collection.json#/definitions/collection"}, 28 | {"$ref": "malware-action.json#/definitions/malware-action"}, 29 | {"$ref": "malware-family.json#/definitions/malware-family"}, 30 | {"$ref": "malware-instance.json#/definitions/malware-instance"} 31 | ] 32 | }, 33 | "description": "Specifies a set of one or more MAEC Objects. Objects in this list MUST be a MAEC Top-level Object." 34 | }, 35 | "observable_objects": { 36 | "type": "object", 37 | "description": "Specifies a dictionary of STIX Cyber Observable Objects relevant to the MAEC Package. This dictionary MUST contain all Cyber Observable Objects associated with the MAEC Package, including those that are referenced by other Cyber Observable Objects. " 38 | }, 39 | "relationships": { 40 | "type": "array", 41 | "items": {"$ref": "relationship.json#/definitions/relationship"}, 42 | "description": "Specifies a set of one or more MAEC relationships. Each entry in this list must be of type Relationship." 43 | } 44 | }, 45 | "required": [ 46 | "type", 47 | "id", 48 | "schema_version", 49 | "maec_objects" 50 | ] 51 | }}, 52 | "allOf":[{"$ref": "#/definitions/package"}] 53 | } 54 | -------------------------------------------------------------------------------- /process-tree-node.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "process-tree-node": { 5 | "title": "ProcessTreeNode", 6 | "type": "object", 7 | "description": "Captures a single process, or node, in the process tree. It imports and extends the ProcessObjectType from the CybOX Process Object.", 8 | "properties": { 9 | "process_ref": { 10 | "type": "string", 11 | "description": "References the Process Object, contained in the Package, which represents the process and its relevant metadata. The Object referenced MUST be of STIX type process and MUST be specified in the observable_objects property of the Package." 12 | }, 13 | "parent_action_ref": { 14 | "type": "string", 15 | "description": "Captures the ID of the Action that created or injected this process." 16 | }, 17 | "ordinal_position": { 18 | "type": "integer", 19 | "minimum": 0, 20 | "description": "Captures the ordinal position of the process with respect to the other processes spawned or injected by the malware. This value MUST be a non-negative integer. For specifying the root process of the process tree, a value of 0 MUST be used." 21 | }, 22 | "initiated_action_refs": { 23 | "type": "array", 24 | "items": {"type": "string"}, 25 | "description": "Captures the IDs of the Actions initiated by the process." 26 | } 27 | }, 28 | "required": ["process_ref"] 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /relationship-distance.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "relationship-distance": { 5 | "title": "RelationshipDistance", 6 | "type": "object", 7 | "description": "Captures a distance score and associated metadata between the source and target in a MAEC Relationship.", 8 | "properties": { 9 | "distance_score": { 10 | "type": "number", 11 | "description": "Captures the distance score between the source and target in the relationship. This is most commonly represented as a floating point value between zero and one (with a higher value representing a greater distance between the two), e.g., \"0.62\"." 12 | }, 13 | "algorithm_name": { 14 | "type": "string", 15 | "description": "Captures the name of the algorithm used in calculating the distance score specified in the distance_score property." 16 | }, 17 | "algorithm_version": { 18 | "type": "string", 19 | "description": "Captures the version of the algorithm used in calculating the distance score specified in the distance_score property." 20 | }, 21 | "metadata": { 22 | "type": "object", 23 | "description": "Specifies a dictionary of additional metadata around the distance score, as a set of key/value pairs. Dictionary keys and their corresponding values MUST be of type string." 24 | } 25 | }, 26 | "required": ["distance_score"] 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /relationship.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "relationship": { 5 | "title": "Relationship", 6 | "type": "object", 7 | "definition": "Captures relationships between two entities in a MAEC Package.", 8 | "properties": { 9 | "type": { 10 | "type": "string", 11 | "enum": ["relationship"] 12 | }, 13 | "id": { 14 | "type": "string", 15 | "description": "Specifies a unique identifier for the relationship." 16 | }, 17 | "source_ref": { 18 | "type": "string", 19 | "description": "Specifies a reference to the ID of the entity in the MAEC document that corresponds to the source in the source-target relationship." 20 | }, 21 | "target_ref": { 22 | "type": "string", 23 | "description": "Specifies a reference to the ID of the entity in the MAEC document that corresponds to the target in the source-target relationship." 24 | }, 25 | "timestamp": { 26 | "type": "string", 27 | "format": "date-time", 28 | "description": "Specifies a timestamp that states when the relationship was created." 29 | }, 30 | "relationship_type": { 31 | "type": "string", 32 | "description": "Specifies the type of relationship being expressed. This value SHOULD be an exact value listed in the relationships for the source and target top-level object, but MAY be any string. The value of this field MUST be in ASCII and is limited to characters a–z (lowercase ASCII), 0–9, and dash (-)." 33 | }, 34 | "metadata": { 35 | "type": "object", 36 | "description": "Specifies a dictionary of additional metadata around the relationship. Standard dictionary keys include the following: distance: used for capturing any distance related metadata. The corresponding value for this key MUST be an object of type RelationshipDistanceType. supporting_data_refs: references any entities in the MAEC document (e.g., Action or Object) that may support the Relationship. The corresponding value for this key MUST list of type identifier. Custom entries in the dictionary MAY also be included." 37 | } 38 | }, 39 | "required": [ 40 | "type", 41 | "id", 42 | "source_ref", 43 | "target_ref", 44 | "relationship_type" 45 | ] 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /signature-metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "signature-metadata": { 5 | "title": "SignatureMetadata", 6 | "type": "object", 7 | "description": "Captures metadata associated with a signature (for example, a YARA rule) that may have been triggered during the analysis of a Malware Instance.", 8 | "properties": { 9 | "signature_type": { 10 | "type": "string", 11 | "description": "Captures the type of the signature, i.e., the language or platform it is written for. For example, “snort”, for the Snort network intrusion detection system (NIDS). The values for this property SHOULD come from the signature-type-ov vocabulary." 12 | }, 13 | "name": { 14 | "type": "string", 15 | "description": "Captures the name provided for the signature (if applicable)." 16 | }, 17 | "description": { 18 | "type": "string", 19 | "description": "Captures a textual description of the signature." 20 | }, 21 | "author": { 22 | "type": "string", 23 | "description": "Captures the name of the author of the signature." 24 | }, 25 | "reference": { 26 | "$ref": "external-reference.json#/definitions/external-reference", 27 | "description": "Captures an external reference associated with the signature." 28 | }, 29 | "severity": { 30 | "type": "string", 31 | "description": "Captures a measure of severity associated with the detection of the signature." 32 | }, 33 | "external_id": { 34 | "type": "string", 35 | "description": "Captures an external identifier associated with the signature." 36 | } 37 | }, 38 | "required":["signature_type"] 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /static-features.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": { 4 | "static-features": { 5 | "title":"StaticFeatures", 6 | "type":"object", 7 | "description":"Captures features associated with a malware binary not related to the semantics of the code.", 8 | "properties": { 9 | "strings": { 10 | "type": "array", 11 | "items": {"type": "string"}, 12 | "description": "Captures strings extracted from the binary." 13 | }, 14 | "obfuscation_methods": { 15 | "type": "array", 16 | "items": {"$ref": "binary-obfuscation.json#/definitions/binary-obfuscation"}, 17 | "description": "Captures metadata associated with methods used to obfuscate the malware instance (e.g., packers, encryptors)." 18 | }, 19 | "certificates": { 20 | "type":"array", 21 | "items": {"type": "string"}, 22 | "description": "References any software certificates used to sign the malware instance. The Objects referenced MUST be of STIX type x509-certificate and MUST be specified in the observable_objects property of the Package." 23 | }, 24 | "file_headers": { 25 | "type": "array", 26 | "items": {"type": "string"}, 27 | "description": "References any file headers (e.g., PE file headers) extracted from the malware instance. The Objects referenced MUST be of STIX type file and MUST be specified in the observable_objects property of the Package." 28 | }, 29 | "configuration_parameters": { 30 | "type": "object", 31 | "description": "Captures any configuration parameters specified for the malware instance. Each key in the dictionary MUST be of type string and SHOULD come from the malware-configuration-parameter-ov vocabulary, which is based on the data reported by the Malware Configuration Parser (MWCP) tool developed by the Department of Defense Cyber Crime Center (DC3). Each corresponding key value MUST also be of type string, and should capture the actual value of the configuration parameter." 32 | }, 33 | "development_environment": { 34 | "$ref": "malware-development-environment.json#/definitions/malware-development-environment", 35 | "description": "Captures the details of the development environment used in the creation of the malware instance object characterized by the Malware Instance." 36 | } 37 | }, 38 | "anyOf": [ 39 | {"required": ["strings"]}, 40 | {"required": ["obfuscation_methods"]}, 41 | {"required": ["certificates"]}, 42 | {"required": ["file_headers"]}, 43 | {"required": ["configuration_parameters"]}, 44 | {"required": ["development_environment"]} 45 | ] 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /x-maec-avclass.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-04/schema#", 3 | "definitions": {"x-maec-avclass": { 4 | "title":"AVClassification", 5 | "type": "array", 6 | "description": "This extension captures information on anti-virus (AV) tool classifications for a particular file. Note that unlike other extensions, the base type of this extension is a list and each entry in the list(of type dictionary) represents a single AV classification. This extension MUST only be used in conjunction with the Cyber Observable File Object.", 7 | "items": { 8 | "type":"object", 9 | "properties": { 10 | "scan_date": { 11 | "type": "string", 12 | "format": "date-time", 13 | "description": "Captures the date and time of the scan. This field can be used to capture how a scan changes over time." 14 | }, 15 | "submission_date": { 16 | "type": "string", 17 | "format": "date-time", 18 | "description": "Captures the data and time that the binary was submitted for scanning." 19 | }, 20 | "is_detected": { 21 | "type": "boolean", 22 | "description": "Captures whether or not the AV tool specified in AVClassificationType has detected the malware instance that is characterized by the Malware Instance." 23 | }, 24 | "classification_name": { 25 | "type": "string", 26 | "description": "Captures the classification assigned to the malware instance object by the AV tool." 27 | }, 28 | "av_name": { 29 | "type": "string", 30 | "description": "Captures the name of the AV tool that generated the classification." 31 | }, 32 | "av_vendor": { 33 | "type": "string", 34 | "description": "Captures the name of the vendor of the AV tool that generated the classification." 35 | }, 36 | "av_version": { 37 | "type": "string", 38 | "description": "Captures the version of the AV tool that generated the classification." 39 | }, 40 | "av_engine_version": { 41 | "type": "string", 42 | "description": "Captures the version of the AV engine used by the AV tool that generated the classification." 43 | }, 44 | "av_definition_version": { 45 | "type": "string", 46 | "description": "Captures the version of the AV definitions used by the AV tool that generated the classification." 47 | } 48 | }, 49 | "required": [ 50 | "scan_date", 51 | "is_detected" 52 | ] 53 | } 54 | }} 55 | } 56 | --------------------------------------------------------------------------------