The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
- Extends:
_entity
Attributes
Section titled “Attributes”classification_ids
- Type:
integer_t - Requirement: required
- Values:
0-Unknown1-Adware2-Backdoor3-Bot4-Bootkit5-DDOS6-Downloader7-Dropper8-Exploit-Kit9-Keylogger10-Ransomware11-Remote-Access-Trojan13-Resource-Exploitation14-Rogue-Security-Software15-Rootkit16-Screen-Capture17-Spyware18-Trojan19-Virus20-Webshell21-Wiper22-Worm99-Other
The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types
name
- Type:
string_t - Requirement: recommended
The malware name, as reported by the detection engine.
path
- Type:
string_t - Requirement: recommended
The filesystem path of the malware that was observed.
provider
- Type:
string_t - Requirement: recommended
The provider of the malware information.
uid
- Type:
string_t - Requirement: recommended
The malware unique identifier, as reported by the detection engine. For example a virus id or an IPS signature id.
classifications
- Type:
string_t - Requirement: optional
The list of malware classifications, normalized to the captions of the classification_id values. In the case of ‘Other’, they are defined by the event source.
cves
- Type:
cve - Requirement: optional
List of Common Vulnerabilities and Exposures (CVE).
Constraints
Section titled “Constraints”At least one of: name, uid
Used By
Section titled “Used By”dns_activityemail_activityemail_file_activityemail_url_activityfile_activityftp_activityhttp_activitykernel_activitykernel_extensionmemory_activitymodule_activitynetwork_activityprocess_activityrdp_activityscheduled_job_activitysecurity_findingsmb_activityssh_activitywin/registry_key_activitywin/registry_value_activitywin/resource_activity