Encyclopedia of Malware Attributes
The EMA MediaWiki is a Semantic MediaWiki-based collection of malware capabilities (high-level abilities of malware instances), behaviors (specific purposes behind particular snippets of malware code), and structural features (non-behavioral features associated with the structuring or packaging of malware instances), and their associated attributes. In addition, the EMA MediaWiki captures specific instances of behaviors as exhibited by one or more malware instances or families. Users of the EMA MediaWiki – consumers and producers of content – include malware analysts, reverse engineers, and researchers; anti-malware tool vendors; and cyber intelligence analysts.
![]() |
A Capability corresponds to a high-level ability that a malware instance possesses. Examples include anti-detection, command and control, and privilege escalation.
A Capability may have attributes associated with it. For example, the data theft capability can be further specified by the attributes 'targeted application,' and 'targeted website'. |
![]() |
A Subcapability represents a more granular characterization of a Capability. Not all Capabilities have Subcapabilities. |
![]() |
A Behavior corresponds to the specific purpose behind a particular snippet of code, as executed by a malware instance. Examples include keylogging, detecting a virtual machine, and installing a backdoor.
Behaviors are marked as follows:
|
![]() |
A Behavior Instance captures a specific instance of a Behavior, as exhibited by one or more malware instances or families. |
![]() |
An Obfuscation Method represents a non-behavioral feature associated with how the code in a malware instance is structured or package. Examples include code encryption (packing) and code compression. |
![]() |
Attributes correspond to features that can be associated with Capabilities, Subcapabilities, Behaviors, and Obfuscation Methods. Each Attribute can define enumerable values for the Attribute. |