Class: MalwareAnalysis
_Malware Analysis captures the metadata and results of a particular analysis performed (static or dynamic) on the malware instance or family. _
classDiagram
class MalwareAnalysis
click MalwareAnalysis href "../MalwareAnalysis/"
StixDomainObject <|-- MalwareAnalysis
click StixDomainObject href "../StixDomainObject/"
MalwareAnalysis : analysis_definition_version
MalwareAnalysis : analysis_ended
MalwareAnalysis : analysis_engine_version
MalwareAnalysis : analysis_sco_refs
MalwareAnalysis : analysis_started
MalwareAnalysis : confidence
MalwareAnalysis : configuration_version
MalwareAnalysis : created
MalwareAnalysis : created_by_ref
MalwareAnalysis : description
MalwareAnalysis : extensions
MalwareAnalysis : external_references
MalwareAnalysis --> "*" ExternalReference : external_references
click ExternalReference href "../ExternalReference/"
MalwareAnalysis : granular_markings
MalwareAnalysis --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
MalwareAnalysis : host_vm_ref
MalwareAnalysis : id
MalwareAnalysis : installed_software_refs
MalwareAnalysis : labels
MalwareAnalysis : lang
MalwareAnalysis : modified
MalwareAnalysis : modules
MalwareAnalysis : name
MalwareAnalysis : object_marking_refs
MalwareAnalysis : operating_system_ref
MalwareAnalysis : product
MalwareAnalysis : result
MalwareAnalysis : result_name
MalwareAnalysis : revoked
MalwareAnalysis : sample_ref
MalwareAnalysis : spec_version
MalwareAnalysis --> "1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
MalwareAnalysis : submitted
MalwareAnalysis : type
MalwareAnalysis : version
Inheritance
- StixEntity
- CommonSchemaComponent
- Core
- StixDomainObject
- MalwareAnalysis
- StixDomainObject
- Core
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| product | 1 String |
Malware analysis product name | direct |
| version | 0..1 String |
Version string | direct |
| configuration_version | 0..1 String |
Malware analysis product configuration version | direct |
| modules | * String |
Malware analysis module names | direct |
| analysis_engine_version | 0..1 String |
Malware analysis engine version | direct |
| analysis_definition_version | 0..1 String |
Malware analysis definition version | direct |
| submitted | 0..1 Datetime |
Malware sample submission timestamp | direct |
| analysis_started | 0..1 Datetime |
Analysis start timestamp | direct |
| analysis_ended | 0..1 Datetime |
Analysis end timestamp | direct |
| result_name | 0..1 String |
Analysis result name | direct |
| result | 0..1 String or MalwareAvResultOv |
Malware analysis result value (malware-av-result-ov) | direct |
| host_vm_ref | 0..1 StixIdentifier |
Host VM software reference | direct |
| operating_system_ref | 0..1 StixIdentifier |
Operating system software reference | direct |
| installed_software_refs | * StixIdentifier |
Installed software references | direct |
| analysis_sco_refs | * StixIdentifier |
Referenced SCOs captured in analysis | direct |
| sample_ref | 0..1 StixIdentifier |
Analysis subject sample reference | direct |
| type | 1 StixTypeName |
STIX object type | Core, StixEntity |
| spec_version | 1 SpecVersionEnum |
STIX specification version | Core |
| id | 1 StixIdentifier |
STIX object identifier | Core, StixEntity |
| created | 1 Datetime |
Creation timestamp | Core |
| modified | 1 Datetime |
Modification timestamp | Core |
| created_by_ref | 0..1 StixIdentifier |
ID of the object that created this object | Core |
| labels | * String |
Terms used to describe this object | Core |
| revoked | 0..1 Boolean |
Indicates whether this object has been revoked | Core |
| confidence | 0..1 Integer |
Confidence that the producer has in this data | Core |
| lang | 0..1 String |
Language of textual properties | Core |
| external_references | * ExternalReference |
External references to non-STIX information | Core |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | Core |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | Core |
| extensions | * String |
Open-ended extension payloads | Core |
| name | 0..1 String |
Human-readable name | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Comments
- jsonschema_rule: anyOf validator_hint: malware-analysis-result-or-analysis-sco-refs jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/sdos/malware-analysis.json
Notes
- JSON Schema requires either result or analysis_sco_refs.
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:MalwareAnalysis |
| native | attack:MalwareAnalysis |
LinkML Source
Direct
name: MalwareAnalysis
description: 'Malware Analysis captures the metadata and results of a particular analysis
performed (static or dynamic) on the malware instance or family. '
notes:
- JSON Schema requires either result or analysis_sco_refs.
comments:
- 'jsonschema_rule: anyOf validator_hint: malware-analysis-result-or-analysis-sco-refs
jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/sdos/malware-analysis.json'
in_subset:
- sdos
from_schema: https://w3id.org/lmodel/attack
is_a: StixDomainObject
slots:
- product
- version
- configuration_version
- modules
- analysis_engine_version
- analysis_definition_version
- submitted
- analysis_started
- analysis_ended
- result_name
- result
- host_vm_ref
- operating_system_ref
- installed_software_refs
- analysis_sco_refs
- sample_ref
slot_usage:
id:
name: id
pattern: ^malware-analysis--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^malware-analysis$
product:
name: product
required: true
modules:
name: modules
comments:
- 'jsonschema_minItems: "1"'
installed_software_refs:
name: installed_software_refs
comments:
- 'jsonschema_minItems: "1"'
pattern: ^software--
analysis_sco_refs:
name: analysis_sco_refs
comments:
- 'jsonschema_minItems: "1"'
host_vm_ref:
name: host_vm_ref
pattern: ^software--
operating_system_ref:
name: operating_system_ref
pattern: ^software--
sample_ref:
name: sample_ref
pattern: ^(artifact--|file--|network-traffic--)
Induced
name: MalwareAnalysis
description: 'Malware Analysis captures the metadata and results of a particular analysis
performed (static or dynamic) on the malware instance or family. '
notes:
- JSON Schema requires either result or analysis_sco_refs.
comments:
- 'jsonschema_rule: anyOf validator_hint: malware-analysis-result-or-analysis-sco-refs
jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/sdos/malware-analysis.json'
in_subset:
- sdos
from_schema: https://w3id.org/lmodel/attack
is_a: StixDomainObject
slot_usage:
id:
name: id
pattern: ^malware-analysis--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^malware-analysis$
product:
name: product
required: true
modules:
name: modules
comments:
- 'jsonschema_minItems: "1"'
installed_software_refs:
name: installed_software_refs
comments:
- 'jsonschema_minItems: "1"'
pattern: ^software--
analysis_sco_refs:
name: analysis_sco_refs
comments:
- 'jsonschema_minItems: "1"'
host_vm_ref:
name: host_vm_ref
pattern: ^software--
operating_system_ref:
name: operating_system_ref
pattern: ^software--
sample_ref:
name: sample_ref
pattern: ^(artifact--|file--|network-traffic--)
attributes:
product:
name: product
description: Malware analysis product name.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: product
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
required: true
version:
name: version
description: Version string.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: version
owner: MalwareAnalysis
domain_of:
- ExtensionDefinition
- Software
- PdfExt
- X509Certificate
- MalwareAnalysis
range: string
configuration_version:
name: configuration_version
description: Malware analysis product configuration version.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: configuration_version
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
modules:
name: modules
description: Malware analysis module names.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: modules
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
multivalued: true
analysis_engine_version:
name: analysis_engine_version
description: Malware analysis engine version.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: analysis_engine_version
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
analysis_definition_version:
name: analysis_definition_version
description: Malware analysis definition version.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: analysis_definition_version
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
submitted:
name: submitted
description: Malware sample submission timestamp.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: submitted
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: datetime
analysis_started:
name: analysis_started
description: Analysis start timestamp.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: analysis_started
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: datetime
analysis_ended:
name: analysis_ended
description: Analysis end timestamp.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: analysis_ended
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: datetime
result_name:
name: result_name
description: Analysis result name.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: result_name
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
result:
name: result
description: Malware analysis result value (malware-av-result-ov).
comments:
- 'open_vocabulary: MalwareAvResultOv'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: result
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: string
any_of:
- range: MalwareAvResultOv
- range: string
host_vm_ref:
name: host_vm_ref
description: Host VM software reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: host_vm_ref
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: stix_identifier
pattern: ^software--
operating_system_ref:
name: operating_system_ref
description: Operating system software reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: operating_system_ref
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: stix_identifier
pattern: ^software--
installed_software_refs:
name: installed_software_refs
description: Installed software references.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: installed_software_refs
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: stix_identifier
multivalued: true
pattern: ^software--
analysis_sco_refs:
name: analysis_sco_refs
description: Referenced SCOs captured in analysis.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: analysis_sco_refs
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: stix_identifier
multivalued: true
sample_ref:
name: sample_ref
description: Analysis subject sample reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: sample_ref
owner: MalwareAnalysis
domain_of:
- MalwareAnalysis
range: stix_identifier
pattern: ^(artifact--|file--|network-traffic--)
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: MalwareAnalysis
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^malware-analysis$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: MalwareAnalysis
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: MalwareAnalysis
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^malware-analysis--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
created:
name: created
description: Creation timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectCreatedTime
rank: 1000
alias: created
owner: MalwareAnalysis
domain_of:
- Core
- MarkingDefinition
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
modified:
name: modified
description: Modification timestamp.
notes:
- STIX core timestamps require millisecond precision.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:modifiedTime
rank: 1000
alias: modified
owner: MalwareAnalysis
domain_of:
- Core
range: datetime
required: true
pattern: T\d{2}:\d{2}:\d{2}\.\d{3,}Z$
created_by_ref:
name: created_by_ref
description: ID of the object that created this object.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:createdBy
rank: 1000
alias: created_by_ref
owner: MalwareAnalysis
domain_of:
- Core
- MarkingDefinition
range: stix_identifier
labels:
name: labels
description: Terms used to describe this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:tag
rank: 1000
alias: labels
owner: MalwareAnalysis
domain_of:
- Core
range: string
multivalued: true
revoked:
name: revoked
description: Indicates whether this object has been revoked.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: revoked
owner: MalwareAnalysis
domain_of:
- Core
range: boolean
confidence:
name: confidence
description: Confidence that the producer has in this data.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: confidence
owner: MalwareAnalysis
domain_of:
- Core
range: integer
minimum_value: 0
maximum_value: 100
lang:
name: lang
description: Language of textual properties.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: lang
owner: MalwareAnalysis
domain_of:
- Core
- GranularMarking
range: string
external_references:
name: external_references
description: External references to non-STIX information.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: external_references
owner: MalwareAnalysis
domain_of:
- Core
- MarkingDefinition
range: ExternalReference
multivalued: true
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: MalwareAnalysis
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: MalwareAnalysis
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: MalwareAnalysis
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: Human-readable name.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: MalwareAnalysis
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: MalwareAnalysis
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string