STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Attack PatternCampaignCourse of ActionGroupingIdentityIncidentIndicatorInfrastructureIntrusion SetLocationMalware AnalysisMalwareNoteObserved DataOpinionReportThreat ActorToolVulnerability
Relationship Objects
Cyber-observable Objects
Meta Objects
Bundle Object
Domain Objects

Malware Analysis

Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided.

Properties

Required Common Properties
typespec_versionidcreatedmodifiedproduct
Optional Common Properties
created_by_reflabelsrevokedconfidencelangexternal_referencesobject_marking_refsgranular_markingsextensions
Not Applicable
defanged
Malware Analysis Specific
productversionconfiguration_versionmodulesanalysis_engine_versionanalysis_definition_versionsubmittedanalysis_startedanalysis_endedresult_nameresulthost_vm_refoperating_system_refinstalled_software_refsanalysis_sco_refssample_ref
PropertyTypeDescription
typeoptional
stringThe type of this object, which MUST be the literal `malware-analysis`.
productrequired
stringThe name of the analysis engine or product that was used for this analysis.
versionoptional
stringThe version of the analysis product that was used to perform this analysis.
configuration_versionoptional
stringThe version of the analysis product configuration that was used to perform this analysis.
modulesoptional
list of stringThe particular analysis product modules that were used to perform the analysis.
analysis_engine_versionoptional
stringThe version of the analysis engine or product that was used to perform this analysis.
analysis_definition_versionoptional
stringThe version of the analysis definitions used by the analysis tool.
submittedoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
analysis_startedoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
analysis_endedoptional
stringRepresents timestamps across the CTI specifications. The format is an RFC3339 timestamp, with a required timezone specification of 'Z'.
result_nameoptional
stringThe classification result or name assigned to the malware instance by the scanner tool.
resultoptional
stringThe classification result as determined by the scanner or tool analysis process.
host_vm_refoptional
A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.
operating_system_refoptional
The operating system that was used to perform the dynamic analysis.
installed_software_refsoptional
listAny non-standard software installed on the operating system used for the dynamic analysis of the malware instance or family.
analysis_sco_refsoptional
list of stringThe list of STIX objects that were captured during the analysis process.
sample_refoptional
Refers to the object this analysis was performed against.

Relationships

These are the relationships explicitly defined between the Malware Analysis object and other STIX Objects. The first section lists the embedded relationships by property name along with their corresponding target. The rest of the table identifies the relationships that can be made from this object type to another object type by way of the Relationship object. The reverse relationships section illustrates the relationships targeting this object type from another object type. They are included here for convenience. For their definitions, please see the "Source" object.

Relationships are not restricted to those listed below. Relationships can be created between any objects using the related-to relationship type or, as with open vocabularies, user-defined names.

Location

Previous Page

Malware

Next Page

On this page

PropertiesRelationships