A Malware Object is an intelligence object used to represent malicious code. This object is used to characterize, identify, and categorize malware instances and families. As opposed to Malware Analysis Objects, Malware Objects are used to document detailed information about the function and features of the malware.
The following properties can be added to a Malware Object:
Name The name to be used for this Object (mandatory)
Description An optional narrative description of the malware
Types A mandatory categorization of the malware type (e.g. bootkit, keylogger, rootkit)
Malware family A flag to indicate whether this object represents a malware family (Yes) or a specific instance (No)
Kill Chain Phases The Kill Chain Phase(s) associated with the malware
Sample References Identifier(s) associated with this malware
Operating systems Operating system(s) the malware is executable on.
First seen Date the malware was first observed
Last seen Date the malware was most recently observed
Processor architectures Processor architecture the malware is executable on (e.g. x86)
Implementation Languages Programming language used to implement the malware
Capabilities Capabilities associated with the malware (e.g. anti-sandbox)
Revoked Flag that will permanently make this Object inactive. Note that this cannot be undone.
Confidence Analytic assessment of the confidence in the data contained within this Malware Object.
Labels Field allowing for the addition of labels to the Malware Object
Aliases Alternate names of the malware
For more information on Malware Objects, see the STIX 2.1 guide. For help creating Malware Objects, see scoutTHREAT โ Creating a Malware Object.
Related Content