scoutTHREAT - Malware Objects Overview
Written by Benjamin Dewey
Updated over a week ago

A Malware Object is an intelligence object used to represent malicious code. This object is used to characterize, identify, and categorize malware instances and families. As opposed to Malware Analysis Objects, Malware Objects are used to document detailed information about the function and features of the malware.

The following properties can be added to a Malware Object:

  • Name The name to be used for this Object (mandatory)

  • Description An optional narrative description of the malware

  • Types A mandatory categorization of the malware type (e.g. bootkit, keylogger, rootkit)

  • Malware family A flag to indicate whether this object represents a malware family (Yes) or a specific instance (No)

  • Kill Chain Phases The Kill Chain Phase(s) associated with the malware

  • Sample References Identifier(s) associated with this malware

  • Operating systems Operating system(s) the malware is executable on.

  • First seen Date the malware was first observed

  • Last seen Date the malware was most recently observed

  • Processor architectures Processor architecture the malware is executable on (e.g. x86)

  • Implementation Languages Programming language used to implement the malware

  • Capabilities Capabilities associated with the malware (e.g. anti-sandbox)

  • Revoked Flag that will permanently make this Object inactive. Note that this cannot be undone.

  • Confidence Analytic assessment of the confidence in the data contained within this Malware Object.

  • Labels Field allowing for the addition of labels to the Malware Object

  • Aliases Alternate names of the malware

For more information on Malware Objects, see the STIX 2.1 guide. For help creating Malware Objects, see scoutTHREAT โ€“ Creating a Malware Object.

Related Content

Did this answer your question?