Encyclopedia of Malware Attributes

From ema
Jump to navigation Jump to search

The EMA MediaWiki is a Semantic MediaWiki-based collection of malware capabilities (high-level abilities of malware instances), behaviors (specific purposes behind particular snippets of malware code), and structural features (non-behavioral features associated with the structuring or packaging of malware instances), and their associated attributes. In addition, the EMA MediaWiki captures specific instances of behaviors as exhibited by one or more malware instances or families. Users of the EMA MediaWiki – consumers and producers of content – include malware analysts, reverse engineers, and researchers; anti-malware tool vendors; and cyber intelligence analysts.

Capabilities Capabilities A Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation.

A Capability may have attributes associated with it. For example, the data theft capability can be further specified by the attributes 'targeted application,' and 'targeted website'.

Subcapabilities Subcapabilities A Subcapability represents a more granular characterization of a Capability. Not all Capabilities have Subcapabilities.
Behaviors Behaviors A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.

Behaviors are marked as follows:

  • Behaviors defined in ATT&CK, which could be expanded with malware-related content are denoted with an &.
  • Behaviors that might be potential ATT&CK techniques are denoted with a +.
  • Behaviors that are only detected via malware analysis have no markings.
Behavior Instances Behavior Instances A Behavior Instance captures a specific instance of a Behavior, as exhibited by one or more malware instances or families.
Obfuscation Methods Obfuscation Methods An Obfuscation Method represents a non-behavioral feature associated with how the code in a malware instance is structured or package. Examples include code encryption (packing) and code compression.
Attributes Attributes Attributes correspond to features that can be associated with Capabilities, Subcapabilities, Behaviors, and Obfuscation Methods. Each Attribute can define enumerable values for the Attribute.