STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Malware

Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.

The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO.

The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides.

To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedis_family
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Malware Specific
aliasesfirst_seenlast_seenoperating_system_refsarchitecture_execution_envsimplementation_languagescapabilitiessample_refsmalware_typesnamedescriptionkill_chain_phases
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `malware`.
aliasesoptional
list of stringAlternative names used to identify this Malware or Malware family.
first_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
last_seenoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
operating_system_refsoptional
listThe operating systems that the malware family or malware instance is executable on.
architecture_execution_envsoptional
list of stringThe processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. Open Vocab - processor-architecture-os.
implementation_languagesoptional
list of stringThe programming language(s) used to implement the malware instance or family. Open Vocab - implementation-language-ov.
capabilitiesoptional
list of stringSpecifies any capabilities identified for the malware instance or family. Open Vocab - malware-capabilities-ov.
sample_refsoptional
list of stringThe sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family.
malware_typesoptional
list of stringThe type of malware being described. Open Vocab - malware-type-ov
nameoptional
stringThe name used to identify the Malware.
descriptionoptional
stringProvides more context and details about the Malware object.
kill_chain_phasesoptional
list of objectThe list of kill chain phases for which this Malware instance can be used.

Relationships

These are the relationships explicitly defined between the Malware object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Malware Analysis

Previous Page

Note

Next Page

On this page

PropertiesRelationships