The following is a description of the elements, types, and attributes that compose the Malware Attribute Enumeration and Characterization (MAEC) package schema.
The MAEC Package Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
The imported MMDEF v1.2 schema is copyright 2013 IEEE-SA.
<xs:element name="Malware_Subjects" type="maecPackage:MalwareSubjectListType"><xs:annotation><xs:documentation>The Malware_Subjects field captures each of the Malware Subjects contained in the Package.</xs:documentation></xs:annotation></xs:element>
The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.
The required id field specifies a unique ID for this Malware Subject.
Source
<xs:element maxOccurs="unbounded" name="Malware_Subject" type="maecPackage:MalwareSubjectType"><xs:annotation><xs:documentation>The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.</xs:documentation></xs:annotation></xs:element>
The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding CybOX Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element maxOccurs="1" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType"><xs:annotation><xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding CybOX Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.</xs:documentation></xs:annotation></xs:element>
The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g. "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Label" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g. "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Configuration_Details" type="maecPackage:MalwareConfigurationDetailsType"><xs:annotation><xs:documentation>The Configuration_Details field captures details of the configuration specified for the Malware Subject, such as configuration parameters.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Storage" type="maecPackage:MalwareConfigurationStorageDetailsType"><xs:annotation><xs:documentation>The Storage field captures details of the how the malware configuration parameters may be stored, e.g. in a separate file, in memory, etc.</xs:documentation></xs:annotation></xs:element>
The Malware_Binary field captures properties related to the storage of malware configuration parameters inside the malware binary captured in the Malware_Instance_Object_Attributes field.
<xs:element minOccurs="0" name="Malware_Binary" type="maecPackage:MalwareBinaryConfigurationStorageDetailsType"><xs:annotation><xs:documentation>The Malware_Binary field captures properties related to the storage of malware configuration parameters inside the malware binary captured in the Malware_Instance_Object_Attributes field.</xs:documentation></xs:annotation></xs:element>
The File_Offset field specifies the offset to the start of the malware configuration parameters in the malware binary.
Diagram
Type
xs:hexBinary
Source
<xs:element minOccurs="0" name="File_Offset" type="xs:hexBinary"><xs:annotation><xs:documentation>The File_Offset field specifies the offset to the start of the malware configuration parameters in the malware binary.</xs:documentation></xs:annotation></xs:element>
The Section_Name field specifies the name of the PE section in the malware binary thta contains the malware configuration parameters, for PE file malware binaries.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Section_Name" type="xs:string"><xs:annotation><xs:documentation>The Section_Name field specifies the name of the PE section in the malware binary thta contains the malware configuration parameters, for PE file malware binaries.</xs:documentation></xs:annotation></xs:element>
The Section_Offset field specifies the offset in the PE section in the malware binary that contains the malware configuration parameters to the start of the parameters themselves, for PE file malware binaries.
Diagram
Type
xs:hexBinary
Source
<xs:element minOccurs="0" name="Section_Offset" type="xs:hexBinary"><xs:annotation><xs:documentation>The Section_Offset field specifies the offset in the PE section in the malware binary that contains the malware configuration parameters to the start of the parameters themselves, for PE file malware binaries.</xs:documentation></xs:annotation></xs:element>
The File field captures the properties of a configuration file, for cases where the Malware Subject stores its configuration parameters in a separate file.
This field uses the FileObjectType from the imported CybOX File Object.
The is_masqueraded field specifies whether the file is masqueraded as another type of file; e.g., a PDF file that has had its extension changed to TXT to masquerade itself as a text file.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element minOccurs="0" name="File" type="FileObj:FileObjectType"><xs:annotation><xs:documentation>The File field captures the properties of a configuration file, for cases where the Malware Subject stores its configuration parameters in a separate file.</xs:documentation><xs:documentation>This field uses the FileObjectType from the imported CybOX File Object.</xs:documentation></xs:annotation></xs:element>
The URL field captures a URL at which the configuration parameters for the Malware Subject may be stored. More than one such URL may be specified by using multiple occurrences of this field.
This field uses the URIObjectType from the import CybOX URI Object.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
The type field specifies the type of URI that is being defined.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="URL" type="URIObj:URIObjectType"><xs:annotation><xs:documentation>The URL field captures a URL at which the configuration parameters for the Malware Subject may be stored. More than one such URL may be specified by using multiple occurrences of this field.</xs:documentation><xs:documentation>This field uses the URIObjectType from the import CybOX URI Object.</xs:documentation></xs:annotation></xs:element>
The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.
Source
<xs:element minOccurs="0" name="Obfuscation" type="maecPackage:MalwareConfigurationObfuscationDetailsType"><xs:annotation><xs:documentation>The Encryption field captures details of how the malware configuration parameters may be obfuscated, if applicable.</xs:documentation></xs:annotation></xs:element>
The Algorithm_Details field captures an the details of the algorithm used to encode or encrypt the malware configuration parameters, including the name of the algorithm and its key. More than one encryption or encoding algorithm may be specified by using multiple occurrences of this field.
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Algorithm_Details" type="maecPackage:MalwareConfigurationObfuscationAlgorithmType"><xs:annotation><xs:documentation>The Algorithm_Details field captures an the details of the algorithm used to encode or encrypt the malware configuration parameters, including the name of the algorithm and its key. More than one encryption or encoding algorithm may be specified by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element>
The Key field captures the hexadecimal key used to decrypt the configuration parameters.
Diagram
Type
xs:hexBinary
Source
<xs:element minOccurs="0" name="Key" type="xs:hexBinary"><xs:annotation><xs:documentation>The Key field captures the hexadecimal key used to decrypt the configuration parameters.</xs:documentation></xs:annotation></xs:element>
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element maxOccurs="1" minOccurs="0" name="Algorithm_Name" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Algorithm_Name field captures the name of the encoding or encryption algorithm used to obfuscate the malware configuration parameters.</xs:documentation></xs:annotation></xs:element>
The Configuration_Parameter field captures a single configuration parameter that may be defined for the Malware Subject. More than one configuration parameter may be specified by using multiple occurrences of this field.
<xs:element maxOccurs="unbounded" minOccurs="0" name="Configuration_Parameter" type="maecPackage:MalwareConfigurationParameterType"><xs:annotation><xs:documentation>The Configuration_Parameter field captures a single configuration parameter that may be defined for the Malware Subject. More than one configuration parameter may be specified by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element>
The Name field specifies the name of the malware configuration parameter. It uses the MalwareConfigurationParameterVocab vocabulary from the MAEC Default Vocabularies schemas as its default vocabulary. Parameters that are not included in this vocabulary may also be specified, in which case it is recommended to use the exact name of the parameter.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Name field specifies the name of the malware configuration parameter. It uses the MalwareConfigurationParameterVocab vocabulary from the MAEC Default Vocabularies schemas as its default vocabulary. Parameters that are not included in this vocabulary may also be specified, in which case it is recommended to use the exact name of the parameter.</xs:documentation></xs:annotation></xs:element>
The Value field captures the value of the malware configuration parameter.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Value" type="xs:string"><xs:annotation><xs:documentation>The Value field captures the value of the malware configuration parameter.</xs:documentation></xs:annotation></xs:element>
The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.
<xs:element minOccurs="0" name="Development_Environment" type="maecPackage:MalwareDevelopmentEnvironmentType"><xs:annotation><xs:documentation>The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.</xs:documentation></xs:annotation></xs:element>
The Tools field captures the properties of one or more tools used in the development of the malware instance. For the Type field in each Tool, the MAEC MalwareDevelopmentToolVocab (from the MAEC Default Vocabularies Schema) should be used as the default vocabulary.
<xs:element minOccurs="0" name="Tools" type="cyboxCommon:ToolsInformationType"><xs:annotation><xs:documentation>The Tools field captures the properties of one or more tools used in the development of the malware instance. For the Type field in each Tool, the MAEC MalwareDevelopmentToolVocab (from the MAEC Default Vocabularies Schema) should be used as the default vocabulary.</xs:documentation></xs:annotation></xs:element>
The Debugging_File field captures the properties of a debugging file associated with the malware instance, such as a PDB file. It uses the FileObjectType from the imported File Object Schema. More than one Debugging_File can be specified by using multiple instances of this field.
The is_masqueraded field specifies whether the file is masqueraded as another type of file; e.g., a PDF file that has had its extension changed to TXT to masquerade itself as a text file.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Debugging_File" type="FileObj:FileObjectType"><xs:annotation><xs:documentation>The Debugging_File field captures the properties of a debugging file associated with the malware instance, such as a PDB file. It uses the FileObjectType from the imported File Object Schema. More than one Debugging_File can be specified by using multiple instances of this field.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Minor_Variants" type="maecPackage:MinorVariantListType"><xs:annotation><xs:documentation>The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.</xs:documentation></xs:annotation></xs:element>
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element maxOccurs="unbounded" minOccurs="1" name="Minor_Variant" type="cybox:ObjectType"><xs:annotation><xs:documentation>The Minor_Variant field captures a single minor variant of the malware instance object.</xs:documentation></xs:annotation></xs:element>
The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.
<xs:element minOccurs="0" name="Field_Data" type="metadata:fieldDataEntry"><xs:annotation><xs:documentation>The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Analyses" type="maecPackage:AnalysisListType"><xs:annotation><xs:documentation>The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.</xs:documentation></xs:annotation></xs:element>
The type field specifies the type of malware analysis being performed.
Source
<xs:element maxOccurs="unbounded" name="Analysis" type="maecPackage:AnalysisType"><xs:annotation><xs:documentation>The Analysis field represents the metadata regarding a single analysis that was performed on a Malware Subject.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Source" type="maecPackage:SourceType"><xs:annotation><xs:documentation>The Source field specifies information about the internal or external source of the analysis, if applicable.</xs:documentation></xs:annotation></xs:element>
The Name field refers to the name of the person linked to the source.
Diagram
Type
xs:string
Source
<xs:element name="Name" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Name field refers to the name of the person linked to the source.</xs:documentation></xs:annotation></xs:element>
The Method field provides an abstract way of specifying the method used to obtain the data that the Source element refers to.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Method" type="xs:string"><xs:annotation><xs:documentation>The Method field provides an abstract way of specifying the method used to obtain the data that the Source element refers to.</xs:documentation></xs:annotation></xs:element>
The Reference field provides an abstract way of specifying a reference name or ID for the source.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Reference" type="xs:string"><xs:annotation><xs:documentation>The Reference field provides an abstract way of specifying a reference name or ID for the source.</xs:documentation></xs:annotation></xs:element>
The Organization field specifies the name of the organization from which the source originated.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Organization" type="xs:string"><xs:annotation><xs:documentation>The Organization field specifies the name of the organization from which the source originated.</xs:documentation></xs:annotation></xs:element>
The URL field specifies the the Uniform Resource Locator (URL) of the external source, if applicable.
Diagram
Type
xs:anyURI
Source
<xs:element minOccurs="0" name="URL" type="xs:anyURI"><xs:annotation><xs:documentation>The URL field specifies the the Uniform Resource Locator (URL) of the external source, if applicable.</xs:documentation></xs:annotation></xs:element>
<xs:element maxOccurs="1" minOccurs="0" name="Analysts" type="cyboxCommon:PersonnelType"><xs:annotation><xs:documentation>The Analysts field specifies the analyst(s) who performed the analysis.</xs:documentation></xs:annotation></xs:element>
The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element minOccurs="0" name="Summary" type="cyboxCommon:StructuredTextType"><xs:annotation><xs:documentation>The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.</xs:documentation></xs:annotation></xs:element>
The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.
<xs:element maxOccurs="1" minOccurs="0" name="Comments" type="maecPackage:CommentListType"><xs:annotation><xs:documentation>The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.</xs:documentation></xs:annotation></xs:element>
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The timestamp field specifies the date/time that the comment was added.
Source
<xs:element maxOccurs="unbounded" name="Comment" type="maecPackage:CommentType"><xs:annotation><xs:documentation>The Comment field specifies a single comment pertaining to a particular MAEC entity.</xs:documentation></xs:annotation></xs:element>
The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.
The bundle_idref field references the ID of a Bundle contained inside the current MAEC document.
Source
<xs:element minOccurs="0" name="Findings_Bundle_Reference" type="maecBundle:BundleReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element>
The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.
<xs:element maxOccurs="1" minOccurs="0" name="Tools" type="maecPackage:ToolListType"><xs:annotation><xs:documentation>The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.</xs:documentation></xs:annotation></xs:element>
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Source
<xs:element maxOccurs="unbounded" name="Tool" type="cyboxCommon:ToolInformationType" minOccurs="1"><xs:annotation><xs:documentation>The Tool field specifies a single tool in the list.</xs:documentation></xs:annotation></xs:element>
The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.
<xs:element minOccurs="0" name="Dynamic_Analysis_Metadata" type="maecPackage:DynamicAnalysisMetadataType"><xs:annotation><xs:documentation>The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.</xs:documentation></xs:annotation></xs:element>
The Command_Line field specifies the command line used to launch the subject binary.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Command_Line" type="xs:string"><xs:annotation><xs:documentation>The Command_Line field specifies the command line used to launch the subject binary.</xs:documentation></xs:annotation></xs:element>
The Analysis_Duration field specifies the duration of the overall dynamic analysis process, in seconds.
Diagram
Type
xs:float
Source
<xs:element minOccurs="0" name="Analysis_Duration" type="xs:float"><xs:annotation><xs:documentation>The Analysis_Duration field specifies the duration of the overall dynamic analysis process, in seconds.</xs:documentation></xs:annotation></xs:element>
The Exit_Code field specifies the exit code with which the subject binary exited.
Diagram
Type
xs:integer
Source
<xs:element minOccurs="0" name="Exit_Code" type="xs:integer"><xs:annotation><xs:documentation>The Exit_Code field specifies the exit code with which the subject binary exited.</xs:documentation></xs:annotation></xs:element>
The Raised_Exception field captures a single exception that was raised (or thrown) during the execution of the malware instance. More than one exception may be captured through the use of multiple instances of this field.
The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Raised_Exception" type="maecPackage:MalwareExceptionType"><xs:annotation><xs:documentation>The Raised_Exception field captures a single exception that was raised (or thrown) during the execution of the malware instance. More than one exception may be captured through the use of multiple instances of this field.</xs:documentation></xs:annotation></xs:element>
The Exception_Code field captures the particular code that identifies the type of exception that occurred.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Exception_Code" type="xs:string"><xs:annotation><xs:documentation>The Exception_Code field captures the particular code that identifies the type of exception that occurred.</xs:documentation></xs:annotation></xs:element>
The Faulting_Address field captures the memory address where the exception occurred.
Diagram
Type
xs:hexBinary
Source
<xs:element minOccurs="0" name="Faulting_Address" type="xs:hexBinary"><xs:annotation><xs:documentation>The Faulting_Address field captures the memory address where the exception occurred.</xs:documentation></xs:annotation></xs:element>
The Description field captures the textual description of the exception.
Diagram
Type
xs:short
Source
<xs:element minOccurs="0" name="Description" type="xs:short"><xs:annotation><xs:documentation>The Description field captures the textual description of the exception.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Analysis_Environment" type="maecPackage:AnalysisEnvironmentType"><xs:annotation><xs:documentation>The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed.</xs:documentation></xs:annotation></xs:element>
The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element minOccurs="0" name="Hypervisor_Host_System" type="maecPackage:HypervisorHostSystemType"><xs:annotation><xs:documentation>The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.</xs:documentation></xs:annotation></xs:element>
The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.
<xs:element minOccurs="0" name="VM_Hypervisor" type="cyboxCommon:PlatformSpecificationType"><xs:annotation><xs:documentation>The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.</xs:documentation></xs:annotation></xs:element>
The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.
<xs:element minOccurs="0" name="Analysis_Systems" type="maecPackage:AnalysisSystemListType"><xs:annotation><xs:documentation>The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.</xs:documentation></xs:annotation></xs:element>
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element maxOccurs="unbounded" name="Analysis_System" type="maecPackage:AnalysisSystemType"><xs:annotation><xs:documentation>The Analysis_System field captures a single analysis system.</xs:documentation></xs:annotation></xs:element>
The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.
<xs:element minOccurs="0" name="Installed_Programs" type="maecPackage:InstalledProgramsType"><xs:annotation><xs:documentation>The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.</xs:documentation></xs:annotation></xs:element>
<xs:element maxOccurs="unbounded" name="Program" type="cyboxCommon:PlatformSpecificationType"><xs:annotation><xs:documentation>The Program field specifies a single program that is installed on the system. It uses the PlatformSpecificationType from the CybOX Common schema.</xs:documentation></xs:annotation></xs:element>
The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.
<xs:element minOccurs="0" name="Network_Infrastructure" type="maecPackage:NetworkInfrastructureType"><xs:annotation><xs:documentation>The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.</xs:documentation></xs:annotation></xs:element>
The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.
<xs:element minOccurs="1" name="Captured_Protocols" type="maecPackage:CapturedProtocolListType"><xs:annotation><xs:documentation>The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.</xs:documentation></xs:annotation></xs:element>
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
Source
<xs:element maxOccurs="unbounded" name="Protocol" type="maecPackage:CapturedProtocolType"><xs:annotation><xs:documentation>The Protocol field specifies a single layer 4 or layer 7 network protocol captured or interacted with by the analysis environment.</xs:documentation></xs:annotation></xs:element>
The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element minOccurs="0" name="Report" type="cyboxCommon:StructuredTextType"><xs:annotation><xs:documentation>The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.</xs:documentation></xs:annotation></xs:element>
The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.
<xs:element minOccurs="0" name="Findings_Bundles" type="maecPackage:FindingsBundleListType"><xs:annotation><xs:documentation>The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Meta_Analysis" type="maecPackage:MetaAnalysisType"><xs:annotation><xs:documentation>The Meta_Analysis field captures any meta-analysis related entities for the Bundles captured for a Malware Subject, such as equivalencies.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Action_Equivalences" type="maecPackage:ActionEquivalenceListType"><xs:annotation><xs:documentation>The Action_Equivalences field captures any equivalences between Actions contained in one or more Bundles.</xs:documentation></xs:annotation></xs:element>
The required id field specifies a unique ID for the Action Equivalence.
Source
<xs:element maxOccurs="unbounded" name="Action_Equivalence" type="maecPackage:ActionEquivalenceType"><xs:annotation><xs:documentation>The Action_Equivalence field captures a single Action Equivalence in the list.</xs:documentation></xs:annotation></xs:element>
The action_id field refers to the id of the action being referenced.
Source
<xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType"><xs:annotation><xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the Action Equivalency.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Object_Equivalences" type="maecPackage:ObjectEquivalenceListType"><xs:annotation><xs:documentation>The Object_Equivalences field captures any equivalences between Objects contained in one or more Bundles.</xs:documentation></xs:annotation></xs:element>
The required id field specifies a unique ID for the Object Equivalence.
Source
<xs:element maxOccurs="unbounded" name="Object_Equivalence" type="maecPackage:ObjectEquivalenceType"><xs:annotation><xs:documentation>The Object_Equivalence field specifies a single Object Equivalence in the list.</xs:documentation></xs:annotation></xs:element>
The content_type field specifies the general type of content contained in this Bundle, e.g. static analysis tool output, dynamic analysis tool output, etc.
The required defined_subject field specifies whether the subject attributes of the characterized malware instance are included inside this Bundle (via the top-level Malware_Instance_Object_Attributes field) or elsewhere (such as a MAEC Subject in a MAEC Package).
The required schema_version field specifies the version of the MAEC Bundle Schema that the document has been written in and that should be used for validation.
The timestamp field specifies the date/time that the bundle was generated.
Source
<xs:element maxOccurs="unbounded" name="Bundle" type="maecBundle:BundleType" minOccurs="0"><xs:annotation><xs:documentation>The Bundle field captures a single MAEC Bundle, representing some set of characterized entities resulting from analysis of the Malware Subject.</xs:documentation></xs:annotation></xs:element>
The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.
Diagram
Type
xs:anyURI
Source
<xs:element maxOccurs="unbounded" minOccurs="0" name="Bundle_External_Reference" type="xs:anyURI"><xs:annotation><xs:documentation>The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Relationships" type="maecPackage:MalwareSubjectRelationshipListType"><xs:annotation><xs:documentation>The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Relationship" maxOccurs="unbounded" type="maecPackage:MalwareSubjectRelationshipType"><xs:annotation><xs:documentation>The Relationship field specifies a relationship that relates the Malware Subject to one or more other Malware Subjects contained in the Package.</xs:documentation></xs:annotation></xs:element>
The Type field specifies the type of relationship being captured.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="1" name="Type" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Type field specifies the type of relationship being captured.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation></xs:annotation></xs:element>
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Source
<xs:element maxOccurs="unbounded" name="Malware_Subject_Reference" type="maecPackage:MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The Malware_Subject_Reference field provides a reference to a single Malware Subject that this relationship pertains to.</xs:documentation></xs:annotation></xs:element>
The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e. can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.
<xs:element maxOccurs="unbounded" minOccurs="0" name="Compatible_Platform" type="cyboxCommon:PlatformSpecificationType"><xs:annotation><xs:documentation>The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e. can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element>
The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.
<xs:element minOccurs="0" name="Grouping_Relationships" type="maecPackage:GroupingRelationshipListType"><xs:annotation><xs:documentation>The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.</xs:documentation></xs:annotation></xs:element>
<xs:element maxOccurs="unbounded" name="Grouping_Relationship" type="maecPackage:GroupingRelationshipType"><xs:annotation><xs:documentation>The Grouping_Relationship field specifies a single grouping relationship in the list.</xs:documentation></xs:annotation></xs:element>
The Type field specifies the type of relationship that groups the Malware Subjects in the Package.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Type field specifies the type of relationship that groups the Malware Subjects in the Package.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation></xs:annotation></xs:element>
The Malware_Family_Name field specifies the name of the malware family referred to by the 'same_malware_family' relationship type.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Malware_Family_Name" type="xs:string"><xs:annotation><xs:documentation>The Malware_Family_Name field specifies the name of the malware family referred to by the 'same_malware_family' relationship type.</xs:documentation></xs:annotation></xs:element>
The Malware_Toolkit_Name field specifies the name of the malware toolkit referred to by the 'same_malware_toolkit' relationship type.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Malware_Toolkit_Name" type="xs:string"><xs:annotation><xs:documentation>The Malware_Toolkit_Name field specifies the name of the malware toolkit referred to by the 'same_malware_toolkit' relationship type.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Clustering_Metadata" type="maecPackage:ClusteringMetadataType"><xs:annotation><xs:documentation>The Clustering_Metadata field specifies any metadata regarding the algorithm and/or methods used for cluster the Malware Subjects in this Package.</xs:documentation></xs:annotation></xs:element>
The Algorithm_Name field specifies the name of the clustering algorithm used to cluster the malware.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Algorithm_Name" type="xs:string"><xs:annotation><xs:documentation>The Algorithm_Name field specifies the name of the clustering algorithm used to cluster the malware.</xs:documentation></xs:annotation></xs:element>
The Algorithm_Version field specifies the version of the algorithm used to cluster the malware.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Algorithm_Version" type="xs:string"><xs:annotation><xs:documentation>The Algorithm_Version field specifies the version of the algorithm used to cluster the malware.</xs:documentation></xs:annotation></xs:element>
<xs:element minOccurs="0" name="Algorithm_Parameters" type="maecPackage:ClusteringAlgorithmParametersType"><xs:annotation><xs:documentation>The Algorithm_Parameters field specifies any parameters that may have been used in the clustering algorithm.</xs:documentation></xs:annotation></xs:element>
The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.
Diagram
Type
xs:decimal
Source
<xs:element minOccurs="0" name="Distance_Threshold" type="xs:decimal"><xs:annotation><xs:documentation>The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.</xs:documentation></xs:annotation></xs:element>
The Number_of_Iterations field specifies the number of times that the algorithm was executed in order to produce the cluster.
Diagram
Type
xs:positiveInteger
Source
<xs:element minOccurs="0" name="Number_of_Iterations" type="xs:positiveInteger"><xs:annotation><xs:documentation>The Number_of_Iterations field specifies the number of times that the algorithm was executed in order to produce the cluster.</xs:documentation></xs:annotation></xs:element>
The Cluster_Size field specifies the size of the malware cluster.
Diagram
Type
xs:positiveInteger
Source
<xs:element minOccurs="0" name="Cluster_Size" type="xs:positiveInteger"><xs:annotation><xs:documentation>The Cluster_Size field specifies the size of the malware cluster.</xs:documentation></xs:annotation></xs:element>
The Cluster_Description field provides a textual description of the malware cluster, such as information about its composition, etc.
Diagram
Type
xs:string
Source
<xs:element minOccurs="0" name="Cluster_Description" type="xs:string"><xs:annotation><xs:documentation>The Cluster_Description field provides a textual description of the malware cluster, such as information about its composition, etc.</xs:documentation></xs:annotation></xs:element>
The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
Source
<xs:element name="Cluster_Composition" minOccurs="0" type="maecPackage:ClusterCompositionType"><xs:annotation><xs:documentation>The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.</xs:documentation></xs:annotation></xs:element>
The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
Source
<xs:element maxOccurs="unbounded" name="Edge_Node_Pair" type="maecPackage:ClusterEdgeNodePairType"><xs:annotation><xs:documentation>The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.</xs:documentation></xs:annotation></xs:element>
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Source
<xs:element minOccurs="1" name="Malware_Subject_Node_A" type="maecPackage:MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The Malware_Subject_Node_A field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.</xs:documentation></xs:annotation></xs:element>
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Source
<xs:element name="Malware_Subject_Node_B" type="maecPackage:MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The Malware_Subject_Node_B field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.</xs:documentation></xs:annotation></xs:element>
Element maecPackage:MAEC_Package
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The root element of the MAEC Package schema is the MAEC_Package, which captures a single MAEC Package that encompasses one or more Malware Subjects and all of their associated MAEC entities.
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
The timestamp field specifies the date/time that the Package was generated.
Source
<xs:element name="MAEC_Package" type="maecPackage:PackageType"><xs:annotation><xs:documentation>The root element of the MAEC Package schema is the MAEC_Package, which captures a single MAEC Package that encompasses one or more Malware Subjects and all of their associated MAEC entities.</xs:documentation></xs:annotation><xs:unique name="unique-package-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
Complex Type maecPackage:PackageType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The PackageType is the namesake type of the MAEC Package schema, and captures either a single Malware Subject, or a collection of Malware Subjects that are related in some way (even if exact details of the relationship are unknown). Unlike the MAEC Bundle, which captures only the MAEC-characterized analysis results for a malware instance, the Package permits the capture of additional metadata relating to the analysis, relationships between Malware Subjects, and similar types of entities.
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
The timestamp field specifies the date/time that the Package was generated.
Source
<xs:complexType name="PackageType"><xs:annotation><xs:documentation>The PackageType is the namesake type of the MAEC Package schema, and captures either a single Malware Subject, or a collection of Malware Subjects that are related in some way (even if exact details of the relationship are unknown). Unlike the MAEC Bundle, which captures only the MAEC-characterized analysis results for a malware instance, the Package permits the capture of additional metadata relating to the analysis, relationships between Malware Subjects, and similar types of entities.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Malware_Subjects" type="maecPackage:MalwareSubjectListType"><xs:annotation><xs:documentation>The Malware_Subjects field captures each of the Malware Subjects contained in the Package.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Grouping_Relationships" type="maecPackage:GroupingRelationshipListType"><xs:annotation><xs:documentation>The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" use="required" type="xs:QName"><xs:annotation><xs:documentation>The required id field specifies a unique ID for this Package.</xs:documentation></xs:annotation></xs:attribute><xs:attribute fixed="2.1" name="schema_version" type="xs:string" use="required"><xs:annotation><xs:documentation>The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>The timestamp field specifies the date/time that the Package was generated.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:MalwareSubjectListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectListType captures a list of Malware Subjects.
<xs:complexType name="MalwareSubjectListType"><xs:annotation><xs:documentation>The MalwareSubjectListType captures a list of Malware Subjects.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Malware_Subject" type="maecPackage:MalwareSubjectType"><xs:annotation><xs:documentation>The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareSubjectType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.
The required id field specifies a unique ID for this Malware Subject.
Source
<xs:complexType name="MalwareSubjectType"><xs:annotation><xs:documentation>The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="1" name="Malware_Instance_Object_Attributes" type="cybox:ObjectType"><xs:annotation><xs:documentation>The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding CybOX Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="Label" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g. "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Configuration_Details" type="maecPackage:MalwareConfigurationDetailsType"><xs:annotation><xs:documentation>The Configuration_Details field captures details of the configuration specified for the Malware Subject, such as configuration parameters.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Development_Environment" type="maecPackage:MalwareDevelopmentEnvironmentType"><xs:annotation><xs:documentation>The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Minor_Variants" type="maecPackage:MinorVariantListType"><xs:annotation><xs:documentation>The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Field_Data" type="metadata:fieldDataEntry"><xs:annotation><xs:documentation>The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Analyses" type="maecPackage:AnalysisListType"><xs:annotation><xs:documentation>The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Findings_Bundles" type="maecPackage:FindingsBundleListType"><xs:annotation><xs:documentation>The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Relationships" type="maecPackage:MalwareSubjectRelationshipListType"><xs:annotation><xs:documentation>The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="Compatible_Platform" type="cyboxCommon:PlatformSpecificationType"><xs:annotation><xs:documentation>The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e. can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" use="required" type="xs:QName"><xs:annotation><xs:documentation>The required id field specifies a unique ID for this Malware Subject.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:MalwareConfigurationDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationDetailsType captures details of malware configuration parameters and associated metadata.
<xs:complexType name="MalwareConfigurationDetailsType"><xs:annotation><xs:documentation>The MalwareConfigurationDetailsType captures details of malware configuration parameters and associated metadata.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Storage" type="maecPackage:MalwareConfigurationStorageDetailsType"><xs:annotation><xs:documentation>The Storage field captures details of the how the malware configuration parameters may be stored, e.g. in a separate file, in memory, etc.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Obfuscation" type="maecPackage:MalwareConfigurationObfuscationDetailsType"><xs:annotation><xs:documentation>The Encryption field captures details of how the malware configuration parameters may be obfuscated, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="Configuration_Parameter" type="maecPackage:MalwareConfigurationParameterType"><xs:annotation><xs:documentation>The Configuration_Parameter field captures a single configuration parameter that may be defined for the Malware Subject. More than one configuration parameter may be specified by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareConfigurationStorageDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters.
<xs:complexType name="MalwareConfigurationStorageDetailsType"><xs:annotation><xs:documentation>The MalwareConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Malware_Binary" type="maecPackage:MalwareBinaryConfigurationStorageDetailsType"><xs:annotation><xs:documentation>The Malware_Binary field captures properties related to the storage of malware configuration parameters inside the malware binary captured in the Malware_Instance_Object_Attributes field.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="File" type="FileObj:FileObjectType"><xs:annotation><xs:documentation>The File field captures the properties of a configuration file, for cases where the Malware Subject stores its configuration parameters in a separate file.</xs:documentation><xs:documentation>This field uses the FileObjectType from the imported CybOX File Object.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="URL" type="URIObj:URIObjectType"><xs:annotation><xs:documentation>The URL field captures a URL at which the configuration parameters for the Malware Subject may be stored. More than one such URL may be specified by using multiple occurrences of this field.</xs:documentation><xs:documentation>This field uses the URIObjectType from the import CybOX URI Object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareBinaryConfigurationStorageDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareBinaryConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters inside the malware binary itself.
<xs:complexType name="MalwareBinaryConfigurationStorageDetailsType"><xs:annotation><xs:documentation>The MalwareBinaryConfigurationStorageDetailsType captures details relating to the storage of malware configuration parameters inside the malware binary itself.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="File_Offset" type="xs:hexBinary"><xs:annotation><xs:documentation>The File_Offset field specifies the offset to the start of the malware configuration parameters in the malware binary.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Section_Name" type="xs:string"><xs:annotation><xs:documentation>The Section_Name field specifies the name of the PE section in the malware binary thta contains the malware configuration parameters, for PE file malware binaries.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Section_Offset" type="xs:hexBinary"><xs:annotation><xs:documentation>The Section_Offset field specifies the offset in the PE section in the malware binary that contains the malware configuration parameters to the start of the parameters themselves, for PE file malware binaries.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareConfigurationObfuscationDetailsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationObfuscationDetailsType captures details relating to the obfuscation of malware configuration parameters.
The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.
Source
<xs:complexType name="MalwareConfigurationObfuscationDetailsType"><xs:annotation><xs:documentation>The MalwareConfigurationObfuscationDetailsType captures details relating to the obfuscation of malware configuration parameters.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" minOccurs="0" name="Algorithm_Details" type="maecPackage:MalwareConfigurationObfuscationAlgorithmType"><xs:annotation><xs:documentation>The Algorithm_Details field captures an the details of the algorithm used to encode or encrypt the malware configuration parameters, including the name of the algorithm and its key. More than one encryption or encoding algorithm may be specified by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="is_encoded" type="xs:boolean"><xs:annotation><xs:documentation>The is_encoded field specifies that the malware configuration parameters are encoded with the algorithm captured in the Algorithm_Details field.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="is_encrypted" type="xs:boolean"><xs:annotation><xs:documentation>The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:MalwareConfigurationObfuscationAlgorithmType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationObfuscationDetailsType captures of an algorithm used to encode or encrypt malware configuration parameters.
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
Source
<xs:complexType name="MalwareConfigurationObfuscationAlgorithmType"><xs:annotation><xs:documentation>The MalwareConfigurationObfuscationDetailsType captures of an algorithm used to encode or encrypt malware configuration parameters.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Key" type="xs:hexBinary"><xs:annotation><xs:documentation>The Key field captures the hexadecimal key used to decrypt the configuration parameters.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="Algorithm_Name" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Algorithm_Name field captures the name of the encoding or encryption algorithm used to obfuscate the malware configuration parameters.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="ordinal_position" type="xs:positiveInteger"><xs:annotation><xs:documentation>The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:MalwareConfigurationParameterType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareConfigurationParameterType captures a single configuration parameter that may be defined for a malware instance, as a name/value pair.
<xs:complexType name="MalwareConfigurationParameterType"><xs:annotation><xs:documentation>The MalwareConfigurationParameterType captures a single configuration parameter that may be defined for a malware instance, as a name/value pair.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Name" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Name field specifies the name of the malware configuration parameter. It uses the MalwareConfigurationParameterVocab vocabulary from the MAEC Default Vocabularies schemas as its default vocabulary. Parameters that are not included in this vocabulary may also be specified, in which case it is recommended to use the exact name of the parameter.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Value" type="xs:string"><xs:annotation><xs:documentation>The Value field captures the value of the malware configuration parameter.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareDevelopmentEnvironmentType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareDevelopmentEnvironmentType captures details of the development environment used in developing the malware instance, such as information on any tools that were used.
<xs:complexType name="MalwareDevelopmentEnvironmentType"><xs:annotation><xs:documentation>The MalwareDevelopmentEnvironmentType captures details of the development environment used in developing the malware instance, such as information on any tools that were used.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Tools" type="cyboxCommon:ToolsInformationType"><xs:annotation><xs:documentation>The Tools field captures the properties of one or more tools used in the development of the malware instance. For the Type field in each Tool, the MAEC MalwareDevelopmentToolVocab (from the MAEC Default Vocabularies Schema) should be used as the default vocabulary.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="Debugging_File" type="FileObj:FileObjectType"><xs:annotation><xs:documentation>The Debugging_File field captures the properties of a debugging file associated with the malware instance, such as a PDB file. It uses the FileObjectType from the imported File Object Schema. More than one Debugging_File can be specified by using multiple instances of this field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MinorVariantListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MinorVariantListType captures a list of minor variants of a Malware Subject's malware instance object. For example, the same binary with but with different filenames.
<xs:complexType name="MinorVariantListType"><xs:annotation><xs:documentation>The MinorVariantListType captures a list of minor variants of a Malware Subject's malware instance object. For example, the same binary with but with different filenames.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" minOccurs="1" name="Minor_Variant" type="cybox:ObjectType"><xs:annotation><xs:documentation>The Minor_Variant field captures a single minor variant of the malware instance object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:AnalysisListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisListType captures a list of analyses that were performed on a Malware Subject.
<xs:complexType name="AnalysisListType"><xs:annotation><xs:documentation>The AnalysisListType captures a list of analyses that were performed on a Malware Subject.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Analysis" type="maecPackage:AnalysisType"><xs:annotation><xs:documentation>The Analysis field represents the metadata regarding a single analysis that was performed on a Malware Subject.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:AnalysisType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.
The type field specifies the type of malware analysis being performed.
Source
<xs:complexType name="AnalysisType"><xs:annotation><xs:documentation>The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Source" type="maecPackage:SourceType"><xs:annotation><xs:documentation>The Source field specifies information about the internal or external source of the analysis, if applicable.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="Analysts" type="cyboxCommon:PersonnelType"><xs:annotation><xs:documentation>The Analysts field specifies the analyst(s) who performed the analysis.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Summary" type="cyboxCommon:StructuredTextType"><xs:annotation><xs:documentation>The Summary field specifies a summary of the analysis that was performed. It should be high-level and concise. It should summarize the contents of the Report field, if present, and otherwise should provide a brief synopsis of the analysis that was performed and any highlights.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="Comments" type="maecPackage:CommentListType"><xs:annotation><xs:documentation>The Comments field specifies any comments regarding the analysis that was performed. A comment should be attributable to a specific analyst and should reflect particular insights of the author that are significant from an analysis standpoint. The contents of comments are typically not contained in the Report.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Findings_Bundle_Reference" type="maecBundle:BundleReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions. More than one Bundle may be referenced by using multiple occurrences of this field.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="1" minOccurs="0" name="Tools" type="maecPackage:ToolListType"><xs:annotation><xs:documentation>The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Dynamic_Analysis_Metadata" type="maecPackage:DynamicAnalysisMetadataType"><xs:annotation><xs:documentation>The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Analysis_Environment" type="maecPackage:AnalysisEnvironmentType"><xs:annotation><xs:documentation>The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Report" type="cyboxCommon:StructuredTextType"><xs:annotation><xs:documentation>The Report field specifies the textual report regarding the analysis performed on the malware. The Report should correspond to the human-readable prose document that captures key aspects and outcomes of the analysis.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName" use="required"><xs:annotation><xs:documentation>The required id field specifies a unique ID for this Analysis.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="type" type="maecPackage:AnalysisTypeEnum"><xs:annotation><xs:documentation>The type field specifies the type of malware analysis being performed.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="method" type="maecPackage:AnalysisMethodEnum"><xs:annotation><xs:documentation>The method field specifies the analysis method used in the analysis.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="ordinal_position" type="xs:positiveInteger"><xs:annotation><xs:documentation>The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="start_datetime" type="xs:dateTime"><xs:annotation><xs:documentation>The start_datetime field specifies the date/time the analysis was started.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="complete_datetime" type="xs:dateTime"><xs:annotation><xs:documentation>The complete_datetime field specifies the date/time the analysis was completed.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="lastupdate_datetime" type="xs:dateTime"><xs:annotation><xs:documentation>The lastupdate_datetime field specifies the date/time the analysis was last updated.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:SourceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The SourceType provides a way of characterizing the external source of a relevant MAEC entity, such as an Analysis.
<xs:complexType name="SourceType"><xs:annotation><xs:documentation>The SourceType provides a way of characterizing the external source of a relevant MAEC entity, such as an Analysis.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Name" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Name field refers to the name of the person linked to the source.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Method" type="xs:string"><xs:annotation><xs:documentation>The Method field provides an abstract way of specifying the method used to obtain the data that the Source element refers to.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Reference" type="xs:string"><xs:annotation><xs:documentation>The Reference field provides an abstract way of specifying a reference name or ID for the source.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Organization" type="xs:string"><xs:annotation><xs:documentation>The Organization field specifies the name of the organization from which the source originated.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="URL" type="xs:anyURI"><xs:annotation><xs:documentation>The URL field specifies the the Uniform Resource Locator (URL) of the external source, if applicable.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:CommentListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CommentListType provides a simple way of capturing any comments relating to MAEC entities, such as Analyses.
<xs:complexType name="CommentListType"><xs:annotation><xs:documentation>The CommentListType provides a simple way of capturing any comments relating to MAEC entities, such as Analyses.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Comment" type="maecPackage:CommentType"><xs:annotation><xs:documentation>The Comment field specifies a single comment pertaining to a particular MAEC entity.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:CommentType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CommentType captures a comment relating to some MAEC field.
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
The timestamp field specifies the date/time that the comment was added.
Source
<xs:complexType name="CommentType"><xs:annotation><xs:documentation>The CommentType captures a comment relating to some MAEC field.</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="cyboxCommon:StructuredTextType"><xs:attribute name="author" type="xs:string"><xs:annotation><xs:documentation>The author field specifies the name of the author that added the comment.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>The timestamp field specifies the date/time that the comment was added.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="observation_name" type="xs:string"><xs:annotation><xs:documentation>The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType>
Complex Type maecPackage:ToolListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ToolsType characterizes one or more tools, such as those used in the analysis of a Malware Subject.
<xs:complexType name="ToolListType"><xs:annotation><xs:documentation>The ToolsType characterizes one or more tools, such as those used in the analysis of a Malware Subject.</xs:documentation></xs:annotation><xs:sequence maxOccurs="1"><xs:element maxOccurs="unbounded" name="Tool" type="cyboxCommon:ToolInformationType" minOccurs="1"><xs:annotation><xs:documentation>The Tool field specifies a single tool in the list.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:DynamicAnalysisMetadataType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The DynamicAnalysisMetadataType captures any metadata specific to the dynamic analysis of a malware instance.
<xs:complexType name="DynamicAnalysisMetadataType"><xs:annotation><xs:documentation>The DynamicAnalysisMetadataType captures any metadata specific to the dynamic analysis of a malware instance.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Command_Line" type="xs:string"><xs:annotation><xs:documentation>The Command_Line field specifies the command line used to launch the subject binary.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Analysis_Duration" type="xs:float"><xs:annotation><xs:documentation>The Analysis_Duration field specifies the duration of the overall dynamic analysis process, in seconds.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Exit_Code" type="xs:integer"><xs:annotation><xs:documentation>The Exit_Code field specifies the exit code with which the subject binary exited.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="Raised_Exception" type="maecPackage:MalwareExceptionType"><xs:annotation><xs:documentation>The Raised_Exception field captures a single exception that was raised (or thrown) during the execution of the malware instance. More than one exception may be captured through the use of multiple instances of this field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareExceptionType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareExceptionType captures details of exceptions that may be raised as a result of a malware instance executing on a system.
The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.
Source
<xs:complexType name="MalwareExceptionType"><xs:annotation><xs:documentation>The MalwareExceptionType captures details of exceptions that may be raised as a result of a malware instance executing on a system.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cyboxCommon:ErrorType"><xs:sequence><xs:element minOccurs="0" name="Exception_Code" type="xs:string"><xs:annotation><xs:documentation>The Exception_Code field captures the particular code that identifies the type of exception that occurred.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Faulting_Address" type="xs:hexBinary"><xs:annotation><xs:documentation>The Faulting_Address field captures the memory address where the exception occurred.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Description" type="xs:short"><xs:annotation><xs:documentation>The Description field captures the textual description of the exception.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="is_fatal" type="xs:boolean"><xs:annotation><xs:documentation>The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
Complex Type maecPackage:AnalysisEnvironmentType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisEnvironmentType provides mechanisms for characterizing the particular hardware/software environment used in the analysis of a Malware Subject.
<xs:complexType name="AnalysisEnvironmentType"><xs:annotation><xs:documentation>The AnalysisEnvironmentType provides mechanisms for characterizing the particular hardware/software environment used in the analysis of a Malware Subject.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Hypervisor_Host_System" type="maecPackage:HypervisorHostSystemType"><xs:annotation><xs:documentation>The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Analysis_Systems" type="maecPackage:AnalysisSystemListType"><xs:annotation><xs:documentation>The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Network_Infrastructure" type="maecPackage:NetworkInfrastructureType"><xs:annotation><xs:documentation>The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:HypervisorHostSystemType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The HypervisorHostSystemType characterizes the VM Hypervisor host system used in the malware analysis environment.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:complexType name="HypervisorHostSystemType"><xs:annotation><xs:documentation>The HypervisorHostSystemType characterizes the VM Hypervisor host system used in the malware analysis environment.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="SystemObj:SystemObjectType"><xs:sequence><xs:element minOccurs="0" name="VM_Hypervisor" type="cyboxCommon:PlatformSpecificationType"><xs:annotation><xs:documentation>The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type maecPackage:AnalysisSystemListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisSystemListType captures a list of the systems, physical or virtual, used in the analysis of a Malware Subject.
<xs:complexType name="AnalysisSystemListType"><xs:annotation><xs:documentation>The AnalysisSystemListType captures a list of the systems, physical or virtual, used in the analysis of a Malware Subject.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Analysis_System" type="maecPackage:AnalysisSystemType"><xs:annotation><xs:documentation>The Analysis_System field captures a single analysis system.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:AnalysisSystemType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisSystemType is intended to characterize any systems on which malware analysis is performed. It imports and extends version 2.0.1 of the CybOX System Object.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:complexType name="AnalysisSystemType"><xs:annotation><xs:documentation>The AnalysisSystemType is intended to characterize any systems on which malware analysis is performed. It imports and extends version 2.0.1 of the CybOX System Object.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="SystemObj:SystemObjectType"><xs:sequence><xs:element minOccurs="0" name="Installed_Programs" type="maecPackage:InstalledProgramsType"><xs:annotation><xs:documentation>The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type maecPackage:InstalledProgramsType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The InstalledProgramsType captures the programs installed on a particular operating system image.
<xs:complexType name="InstalledProgramsType"><xs:annotation><xs:documentation>The InstalledProgramsType captures the programs installed on a particular operating system image.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Program" type="cyboxCommon:PlatformSpecificationType"><xs:annotation><xs:documentation>The Program field specifies a single program that is installed on the system. It uses the PlatformSpecificationType from the CybOX Common schema.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:NetworkInfrastructureType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The NetworkInfrastructureType captures specific details about the network infrastructure used in the malware analysis environment.
<xs:complexType name="NetworkInfrastructureType"><xs:annotation><xs:documentation>The NetworkInfrastructureType captures specific details about the network infrastructure used in the malware analysis environment.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="1" name="Captured_Protocols" type="maecPackage:CapturedProtocolListType"><xs:annotation><xs:documentation>The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:CapturedProtocolListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CapturedProtocolListType specifies a list of network protocols that a malware analysis environment may capture or interact with.
<xs:complexType name="CapturedProtocolListType"><xs:annotation><xs:documentation>The CapturedProtocolListType specifies a list of network protocols that a malware analysis environment may capture or interact with.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Protocol" type="maecPackage:CapturedProtocolType"><xs:annotation><xs:documentation>The Protocol field specifies a single layer 4 or layer 7 network protocol captured or interacted with by the analysis environment.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:CapturedProtocolType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CapturedProtocolType specifies the details of a network protocol that may be captured or otherwise manipulated in the malware analysis environment.
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
Source
<xs:complexType name="CapturedProtocolType"><xs:annotation><xs:documentation>The CapturedProtocolType specifies the details of a network protocol that may be captured or otherwise manipulated in the malware analysis environment.</xs:documentation></xs:annotation><xs:attribute name="layer7_protocol" type="maecPackage:Layer7ProtocolEnum"><xs:annotation><xs:documentation>The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="layer4_protocol" type="maecPackage:Layer4ProtocolEnum"><xs:annotation><xs:documentation>The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="port_number" type="xs:positiveInteger"><xs:annotation><xs:documentation>The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="interaction_level" type="maecPackage:InteractionLevelEnum"><xs:annotation><xs:documentation>The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Simple Type maecPackage:Layer7ProtocolEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (OSI model) network protocols.
Diagram
Type
restriction of xs:string
Facets
enumeration
http
The http value specifies the Hypertext Transfer Protocol (HTTP).
enumeration
https
The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).
enumeration
ftp
The ftp value specifies the File Transfer Protocol (FTP).
enumeration
ftps
The ftps value specifies the File Transfer Protocol Secure (FTPS).
enumeration
smtp
The smtp value specifies the Simple Mail Transfer Protocol (SMTP).
enumeration
smtps
The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).
enumeration
pop3
The pop3 value specifies the Post Office Protocol version 3 (POP3).
enumeration
pop3s
The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).
enumeration
irc
The irc value specifies the Internet Relay Chat (IRC) protocol.
enumeration
dns
The dns value specifies the Domain Name System (DNS) protocol.
enumeration
rdp
The rdp value specifies the Remote Desktop Protocol (RDP).
enumeration
rpc
The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.
enumeration
ssh
The ssh value specifies the Secure Shell (SSH) protocol.
<xs:simpleType name="Layer7ProtocolEnum"><xs:annotation><xs:documentation>The Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (OSI model) network protocols.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="http"><xs:annotation><xs:documentation>The http value specifies the Hypertext Transfer Protocol (HTTP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="https"><xs:annotation><xs:documentation>The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="ftp"><xs:annotation><xs:documentation>The ftp value specifies the File Transfer Protocol (FTP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="ftps"><xs:annotation><xs:documentation>The ftps value specifies the File Transfer Protocol Secure (FTPS).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="smtp"><xs:annotation><xs:documentation>The smtp value specifies the Simple Mail Transfer Protocol (SMTP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="smtps"><xs:annotation><xs:documentation>The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="pop3"><xs:annotation><xs:documentation>The pop3 value specifies the Post Office Protocol version 3 (POP3).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="pop3s"><xs:annotation><xs:documentation>The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="irc"><xs:annotation><xs:documentation>The irc value specifies the Internet Relay Chat (IRC) protocol.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="dns"><xs:annotation><xs:documentation>The dns value specifies the Domain Name System (DNS) protocol.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="rdp"><xs:annotation><xs:documentation>The rdp value specifies the Remote Desktop Protocol (RDP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="rpc"><xs:annotation><xs:documentation>The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="ssh"><xs:annotation><xs:documentation>The ssh value specifies the Secure Shell (SSH) protocol.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="telnet"><xs:annotation><xs:documentation>The telnet value specifies the Telnet protocol.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type maecPackage:Layer4ProtocolEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (OSI model) network protocols.
Diagram
Type
restriction of xs:string
Facets
enumeration
tcp
The tcp value specifies the Transport Control Protocol (TCP).
enumeration
udp
The udp value specifies the User Datagram Protocol (UDP).
<xs:simpleType name="Layer4ProtocolEnum"><xs:annotation><xs:documentation>The Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (OSI model) network protocols.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="tcp"><xs:annotation><xs:documentation>The tcp value specifies the Transport Control Protocol (TCP).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="udp"><xs:annotation><xs:documentation>The udp value specifies the User Datagram Protocol (UDP).</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type maecPackage:InteractionLevelEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The InteractionLevelEnum is a non-exhaustive enumeration of interaction levels for network protocols in a malware analysis environment.
Diagram
Type
restriction of xs:string
Facets
enumeration
high
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
enumeration
low
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
enumeration
honeytrap
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
enumeration
live
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
enumeration
none
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
<xs:simpleType name="InteractionLevelEnum"><xs:annotation><xs:documentation>The InteractionLevelEnum is a non-exhaustive enumeration of interaction levels for network protocols in a malware analysis environment.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="high"><xs:annotation><xs:documentation>The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="low"><xs:annotation><xs:documentation>The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="honeytrap"><xs:annotation><xs:documentation>The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="live"><xs:annotation><xs:documentation>The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="none"><xs:annotation><xs:documentation>The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type maecPackage:AnalysisTypeEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisTypeEnum is an enumeration of types of malware analyses.
Diagram
Type
restriction of xs:string
Facets
enumeration
triage
The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.
enumeration
in-depth
The in-depth value specifies a detailed type of malware analysis that is typically performed by a human analyst.
<xs:simpleType name="AnalysisTypeEnum"><xs:annotation><xs:documentation>The AnalysisTypeEnum is an enumeration of types of malware analyses.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="triage"><xs:annotation><xs:documentation>The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="in-depth"><xs:annotation><xs:documentation>The in-depth value specifies a detailed type of malware analysis that is typically performed by a human analyst.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type maecPackage:AnalysisMethodEnum
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisMethodEnum is an enumeration of malware analysis methods.
Diagram
Type
restriction of xs:string
Facets
enumeration
static
The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.
enumeration
dynamic
The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.
enumeration
combination
The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.
<xs:simpleType name="AnalysisMethodEnum"><xs:annotation><xs:documentation>The AnalysisMethodEnum is an enumeration of malware analysis methods.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="static"><xs:annotation><xs:documentation>The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="dynamic"><xs:annotation><xs:documentation>The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="combination"><xs:annotation><xs:documentation>The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type maecPackage:FindingsBundleListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The FindingsBundleListType captures a list of Bundles or external references to Bundles, along with any related meta-analysis entities.
<xs:complexType name="FindingsBundleListType"><xs:annotation><xs:documentation>The FindingsBundleListType captures a list of Bundles or external references to Bundles, along with any related meta-analysis entities.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Meta_Analysis" type="maecPackage:MetaAnalysisType"><xs:annotation><xs:documentation>The Meta_Analysis field captures any meta-analysis related entities for the Bundles captured for a Malware Subject, such as equivalencies.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" name="Bundle" type="maecBundle:BundleType" minOccurs="0"><xs:annotation><xs:documentation>The Bundle field captures a single MAEC Bundle, representing some set of characterized entities resulting from analysis of the Malware Subject.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" minOccurs="0" name="Bundle_External_Reference" type="xs:anyURI"><xs:annotation><xs:documentation>The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MetaAnalysisType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MetaAnalysisType captures meta-analysis entities associated with the Bundles that were captured for a Malware Subject, such as Action Equivalencies.
<xs:complexType name="MetaAnalysisType"><xs:annotation><xs:documentation>The MetaAnalysisType captures meta-analysis entities associated with the Bundles that were captured for a Malware Subject, such as Action Equivalencies.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Action_Equivalences" type="maecPackage:ActionEquivalenceListType"><xs:annotation><xs:documentation>The Action_Equivalences field captures any equivalences between Actions contained in one or more Bundles.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Object_Equivalences" type="maecPackage:ObjectEquivalenceListType"><xs:annotation><xs:documentation>The Object_Equivalences field captures any equivalences between Objects contained in one or more Bundles.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:ActionEquivalenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceListType captures a list of Action Equivalences.
<xs:complexType name="ActionEquivalenceListType"><xs:annotation><xs:documentation>The ActionEquivalenceListType captures a list of Action Equivalences.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Action_Equivalence" type="maecPackage:ActionEquivalenceType"><xs:annotation><xs:documentation>The Action_Equivalence field captures a single Action Equivalence in the list.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:ActionEquivalenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceType relates any Actions that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools. It can be used as a way of referencing equivalent actions as a single unit, such as for specifying the Action composition of a Behavior.
The required id field specifies a unique ID for the Action Equivalence.
Source
<xs:complexType name="ActionEquivalenceType"><xs:annotation><xs:documentation>The ActionEquivalenceType relates any Actions that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools. It can be used as a way of referencing equivalent actions as a single unit, such as for specifying the Action composition of a Behavior.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Action_Reference" type="cybox:ActionReferenceType"><xs:annotation><xs:documentation>The Action_Reference field specifies a reference to a single Action that is part of the Action Equivalency.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" use="required" type="xs:QName"><xs:annotation><xs:documentation>The required id field specifies a unique ID for the Action Equivalence.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:ObjectEquivalenceListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceListType captures a list of Object Equivalences.
<xs:complexType name="ObjectEquivalenceListType"><xs:annotation><xs:documentation>The ObjectEquivalenceListType captures a list of Object Equivalences.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Object_Equivalence" type="maecPackage:ObjectEquivalenceType"><xs:annotation><xs:documentation>The Object_Equivalence field specifies a single Object Equivalence in the list.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:ObjectEquivalenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceType relates the Objects that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools.
The required id field specifies a unique ID for the Object Equivalence.
Source
<xs:complexType name="ObjectEquivalenceType"><xs:annotation><xs:documentation>The ObjectEquivalenceType relates the Objects that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="maecBundle:ObjectReferenceListType"><xs:attribute name="id" type="xs:QName" use="required"><xs:annotation><xs:documentation>The required id field specifies a unique ID for the Object Equivalence.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
Complex Type maecPackage:MalwareSubjectRelationshipListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectRelationshipListType captures a list of relationships between a Malware Subject and other Malware Subjects.
<xs:complexType name="MalwareSubjectRelationshipListType"><xs:annotation><xs:documentation>The MalwareSubjectRelationshipListType captures a list of relationships between a Malware Subject and other Malware Subjects.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Relationship" maxOccurs="unbounded" type="maecPackage:MalwareSubjectRelationshipType"><xs:annotation><xs:documentation>The Relationship field specifies a relationship that relates the Malware Subject to one or more other Malware Subjects contained in the Package.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareSubjectRelationshipType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectRelationshipType provides a mechanism for capturing the relationships between a Malware Subject and one or more other Malware Subjects.
<xs:complexType name="MalwareSubjectRelationshipType"><xs:annotation><xs:documentation>The MalwareSubjectRelationshipType provides a mechanism for capturing the relationships between a Malware Subject and one or more other Malware Subjects.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="1" name="Type" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Type field specifies the type of relationship being captured.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation></xs:annotation></xs:element><xs:element maxOccurs="unbounded" name="Malware_Subject_Reference" type="maecPackage:MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The Malware_Subject_Reference field provides a reference to a single Malware Subject that this relationship pertains to.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:MalwareSubjectReferenceType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectReferenceType provides a mechanism for specifying a reference to a Malware Subject contained in the Package.
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Source
<xs:complexType name="MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The MalwareSubjectReferenceType provides a mechanism for specifying a reference to a Malware Subject contained in the Package.</xs:documentation></xs:annotation><xs:attribute name="malware_subject_idref" type="xs:QName" use="required"><xs:annotation><xs:documentation>The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:GroupingRelationshipListType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The GroupingRelationshipListType captures a list of grouping relationships relating the Malware Subjects in a Package.
<xs:complexType name="GroupingRelationshipListType"><xs:annotation><xs:documentation>The GroupingRelationshipListType captures a list of grouping relationships relating the Malware Subjects in a Package.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Grouping_Relationship" type="maecPackage:GroupingRelationshipType"><xs:annotation><xs:documentation>The Grouping_Relationship field specifies a single grouping relationship in the list.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:GroupingRelationshipType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The GroupingRelationshipType provides a mechanism for specifying the relationship that groups together the Malware Subjects in a Package.
<xs:complexType name="GroupingRelationshipType"><xs:annotation><xs:documentation>The GroupingRelationshipType provides a mechanism for specifying the relationship that groups together the Malware Subjects in a Package.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Type" type="cyboxCommon:ControlledVocabularyStringType"><xs:annotation><xs:documentation>The Type field specifies the type of relationship that groups the Malware Subjects in the Package.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Malware_Family_Name" type="xs:string"><xs:annotation><xs:documentation>The Malware_Family_Name field specifies the name of the malware family referred to by the 'same_malware_family' relationship type.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Malware_Toolkit_Name" type="xs:string"><xs:annotation><xs:documentation>The Malware_Toolkit_Name field specifies the name of the malware toolkit referred to by the 'same_malware_toolkit' relationship type.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Clustering_Metadata" type="maecPackage:ClusteringMetadataType"><xs:annotation><xs:documentation>The Clustering_Metadata field specifies any metadata regarding the algorithm and/or methods used for cluster the Malware Subjects in this Package.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:ClusteringMetadataType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusteringMetadataType specifies any metadata regarding the algorithm and/or methods used for clustering the Malware Subjects in this Package, for use in the ‘clustered together’ relationship type.
<xs:complexType name="ClusteringMetadataType"><xs:annotation><xs:documentation>The ClusteringMetadataType specifies any metadata regarding the algorithm and/or methods used for clustering the Malware Subjects in this Package, for use in the ‘clustered together’ relationship type.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Algorithm_Name" type="xs:string"><xs:annotation><xs:documentation>The Algorithm_Name field specifies the name of the clustering algorithm used to cluster the malware.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Algorithm_Version" type="xs:string"><xs:annotation><xs:documentation>The Algorithm_Version field specifies the version of the algorithm used to cluster the malware.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Algorithm_Parameters" type="maecPackage:ClusteringAlgorithmParametersType"><xs:annotation><xs:documentation>The Algorithm_Parameters field specifies any parameters that may have been used in the clustering algorithm.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Cluster_Size" type="xs:positiveInteger"><xs:annotation><xs:documentation>The Cluster_Size field specifies the size of the malware cluster.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Cluster_Description" type="xs:string"><xs:annotation><xs:documentation>The Cluster_Description field provides a textual description of the malware cluster, such as information about its composition, etc.</xs:documentation></xs:annotation></xs:element><xs:element name="Cluster_Composition" minOccurs="0" type="maecPackage:ClusterCompositionType"><xs:annotation><xs:documentation>The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:ClusteringAlgorithmParametersType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusteringAlgorithmParametersType captures any parameters that may have been used in a malware clustering algorithm.
<xs:complexType name="ClusteringAlgorithmParametersType"><xs:annotation><xs:documentation>The ClusteringAlgorithmParametersType captures any parameters that may have been used in a malware clustering algorithm.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="0" name="Distance_Threshold" type="xs:decimal"><xs:annotation><xs:documentation>The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.</xs:documentation></xs:annotation></xs:element><xs:element minOccurs="0" name="Number_of_Iterations" type="xs:positiveInteger"><xs:annotation><xs:documentation>The Number_of_Iterations field specifies the number of times that the algorithm was executed in order to produce the cluster.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type maecPackage:ClusterCompositionType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusterCompositionType captures the composition of a malware cluster via its edges and their respective connected nodes, as in an undirected graph.
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
Source
<xs:complexType name="ClusterCompositionType"><xs:annotation><xs:documentation>The ClusterCompositionType captures the composition of a malware cluster via its edges and their respective connected nodes, as in an undirected graph.</xs:documentation></xs:annotation><xs:sequence><xs:element maxOccurs="unbounded" name="Edge_Node_Pair" type="maecPackage:ClusterEdgeNodePairType"><xs:annotation><xs:documentation>The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="score_type" type="xs:string"><xs:annotation><xs:documentation>For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type maecPackage:ClusterEdgeNodePairType
Namespace
http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusterEdgeNodePairType captures a single edge-node pair in a malware cluster, which is composed of the two Malware Subjects that correspond to the nodes connected to the edge (via references), and represents the similarity index between the two Malware Subjects.
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
Source
<xs:complexType name="ClusterEdgeNodePairType"><xs:annotation><xs:documentation>The ClusterEdgeNodePairType captures a single edge-node pair in a malware cluster, which is composed of the two Malware Subjects that correspond to the nodes connected to the edge (via references), and represents the similarity index between the two Malware Subjects.</xs:documentation></xs:annotation><xs:sequence><xs:element minOccurs="1" name="Malware_Subject_Node_A" type="maecPackage:MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The Malware_Subject_Node_A field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.</xs:documentation></xs:annotation></xs:element><xs:element name="Malware_Subject_Node_B" type="maecPackage:MalwareSubjectReferenceType"><xs:annotation><xs:documentation>The Malware_Subject_Node_B field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="similarity_index" type="xs:decimal"><xs:annotation><xs:documentation>The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="similarity_distance" type="xs:decimal"><xs:annotation><xs:documentation>The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.
<xs:attribute name="ordinal_position" type="xs:positiveInteger"><xs:annotation><xs:documentation>The ordinal_position field specifies the explicit ordering of the usage of the algorithm with respect to the other algorithms used to encrypt or encode the malware configuration parameters, for cases where more than one algorithm was used.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="is_encoded" type="xs:boolean"><xs:annotation><xs:documentation>The is_encoded field specifies that the malware configuration parameters are encoded with the algorithm captured in the Algorithm_Details field.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="is_encrypted" type="xs:boolean"><xs:annotation><xs:documentation>The is_encrypted field specifies that the malware configuration parameters are encrypted with the algorithm captured in the Algorithm_Details field.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="author" type="xs:string"><xs:annotation><xs:documentation>The author field specifies the name of the author that added the comment.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>The timestamp field specifies the date/time that the comment was added.</xs:documentation></xs:annotation></xs:attribute>
The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".
<xs:attribute name="observation_name" type="xs:string"><xs:annotation><xs:documentation>The observation_name field captures the name, type, or identifier of an observation, for comments that refer to the observation of particular entities. For example, a comment that refers to a command and control (C2) encryption key could have an observation_name of "C2 Encryption Key".</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="is_fatal" type="xs:boolean"><xs:annotation><xs:documentation>The is_fatal field specifies whether the exception is fatal; that is, whether it caused the malware instance to terminate.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="layer7_protocol" type="maecPackage:Layer7ProtocolEnum"><xs:annotation><xs:documentation>The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="layer4_protocol" type="maecPackage:Layer4ProtocolEnum"><xs:annotation><xs:documentation>The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="port_number" type="xs:positiveInteger"><xs:annotation><xs:documentation>The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.</xs:documentation></xs:annotation></xs:attribute>
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
enumeration
low
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
enumeration
honeytrap
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
enumeration
live
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
enumeration
none
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
<xs:attribute name="interaction_level" type="maecPackage:InteractionLevelEnum"><xs:annotation><xs:documentation>The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName" use="required"><xs:annotation><xs:documentation>The required id field specifies a unique ID for this Analysis.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="type" type="maecPackage:AnalysisTypeEnum"><xs:annotation><xs:documentation>The type field specifies the type of malware analysis being performed.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="method" type="maecPackage:AnalysisMethodEnum"><xs:annotation><xs:documentation>The method field specifies the analysis method used in the analysis.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="ordinal_position" type="xs:positiveInteger"><xs:annotation><xs:documentation>The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="start_datetime" type="xs:dateTime"><xs:annotation><xs:documentation>The start_datetime field specifies the date/time the analysis was started.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="complete_datetime" type="xs:dateTime"><xs:annotation><xs:documentation>The complete_datetime field specifies the date/time the analysis was completed.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="lastupdate_datetime" type="xs:dateTime"><xs:annotation><xs:documentation>The lastupdate_datetime field specifies the date/time the analysis was last updated.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" use="required" type="xs:QName"><xs:annotation><xs:documentation>The required id field specifies a unique ID for the Action Equivalence.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName" use="required"><xs:annotation><xs:documentation>The required id field specifies a unique ID for the Object Equivalence.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="malware_subject_idref" type="xs:QName" use="required"><xs:annotation><xs:documentation>The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" use="required" type="xs:QName"><xs:annotation><xs:documentation>The required id field specifies a unique ID for this Malware Subject.</xs:documentation></xs:annotation></xs:attribute>
The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
<xs:attribute name="similarity_index" type="xs:decimal"><xs:annotation><xs:documentation>The similarity_index field specifies the similarity index between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).</xs:documentation></xs:annotation></xs:attribute>
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
<xs:attribute name="similarity_distance" type="xs:decimal"><xs:annotation><xs:documentation>The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).</xs:documentation></xs:annotation></xs:attribute>
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
<xs:attribute name="score_type" type="xs:string"><xs:annotation><xs:documentation>For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" use="required" type="xs:QName"><xs:annotation><xs:documentation>The required id field specifies a unique ID for this Package.</xs:documentation></xs:annotation></xs:attribute>
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
<xs:attribute fixed="2.1" name="schema_version" type="xs:string" use="required"><xs:annotation><xs:documentation>The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>The timestamp field specifies the date/time that the Package was generated.</xs:documentation></xs:annotation></xs:attribute>
