Skip to content

MalwareConfig

Extracted Malware Configuration

Field Type Description Required Default
config_extractor Keyword Name of extractor
Yes
None
family List [Text] What family is this associated to?
Yes
None
version Text Version of the malware
Optional
None
category List [Enum] Category of malware
Optional
None
attack List [Enum] ATT&CK ID associated
Optional
None
capability_enabled List [Text] Enabled Capabilities
Optional
None
capability_disabled List [Text] Disabled Capabilities
Optional
None
campaign_id List [Text] Campaign ID
Optional
None
identifier List [Text] Identifier
Optional
None
decoded_strings List [Text] Decoded Strings
Optional
None
password List [Text] Passwords
Optional
None
mutex List [Text] Mutex
Optional
None
pipe List [Text] Pipe
Optional
None
ipc List [IPC] IPC (similar to 'pipe' field but more detailed)
Optional
None
sleep_delay Integer Sleep Delay
Optional
None
sleep_delay_jitter Integer Sleep Delay Jitter
Optional
None
inject_exe List [Text] Injected EXE
Optional
None
binaries List [Binary] Binaries
Optional
None
ftp List [FTP] FTPs
Optional
None
smtp List [SMTP] SMTPs
Optional
None
http List [HTTP] HTTPs
Optional
None
ssh List [SSH] SSHs
Optional
None
proxy List [Proxy] Proxies
Optional
None
dns List [DNS] DNS
Optional
None
tcp List [GeneralConnection] TCPs
Optional
None
udp List [GeneralConnection] UDPs
Optional
None
encryption List [Encryption] Encryptions
Optional
None
service List [Service] Services
Optional
None
cryptocurrency List [Cryptocurrency] Cryptocurrencies
Optional
None
paths List [Path] Paths
Optional
None
registry List [Registry] Registry
Optional
None
other Mapping [String, Any] Other information
Optional
None

Binary

Binary data extracted by decoder

Field Type Description Required Default
datatype Enum None
Values:
"config", "other", "payload"
Optional
None
data Text None
Yes
None
other Mapping [String, Any] Other information
Optional
None
encryption List [Encryption] None
Optional
None

Encryption

Encryption details

Field Type Description Required Default
algorithm Text Algorithm
Optional
None
public_key Text Public Key
Optional
None
key Text Key
Optional
None
provider Text Provider
Optional
None
mode Text Mode
Optional
None
iv Text Initialization Vector
Optional
None
seed Text Seed
Optional
None
nonce Text Nonce value
Optional
None
constants List [Text] Constants
Optional
None
usage Enum Purpose of encryptions
Values:
"binary", "communication", "config", "other", "ransom"
Optional
None

Cryptocurrency

Cryptocoin usage (ransomware/miner)

Field Type Description Required Default
coin Text Name of coin used
Optional
None
address Text Wallet address
Optional
None
random_amount Integer Ransom amount
Optional
None
usage Enum Use of cryptocurrency
Values:
"miner", "other", "ransomware"
Optional
None

DNS

Usage of DNS connection

Field Type Description Required Default
ip IP IP of DNS server
Optional
None
port Integer Port of DNS server
Optional
None
hostname Text Hostname used in query
Optional
None
record_type Enum Type of DNS record
Values:
"A", "AAAA", "AFSDB", "APL", "CAA", "CDNSKEY", "CDS", "CERT", "CNAME", "CSYNC", "DHCID", "DLV", "DNAME", "DNSKEY", "DS", "EUI48", "EUI64", "HINFO", "HIP", "HTTPS", "IPSECKEY", "KEY", "KX", "LOC", "MX", "NAPTR", "NS", "NSEC", "NSEC3", "NSEC3PARAM", "OPENPGPKEY", "PTR", "RP", "RRSIG", "SIG", "SMIMEA", "SOA", "SRV", "SSHFP", "SVCB", "TA", "TKEY", "TLSA", "TSIG", "TXT", "URI", "ZONEMD"
Optional
None
usage Enum Purpose of DNS connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

Encryption

Encryption details

Field Type Description Required Default
algorithm Text Algorithm
Optional
None
public_key Text Public Key
Optional
None
key Text Key
Optional
None
provider Text Provider
Optional
None
mode Text Mode
Optional
None
iv Text Initialization Vector
Optional
None
seed Text Seed
Optional
None
nonce Text Nonce value
Optional
None
constants List [Text] Constants
Optional
None
usage Enum Purpose of encryptions
Values:
"binary", "communication", "config", "other", "ransom"
Optional
None

FTP

Usage of FTP connection

Field Type Description Required Default
username Text Username
Optional
None
password Text Password
Optional
None
hostname Text FTP Host
Optional
None
port Integer FTP Port
Optional
None
path Text FTP Path
Optional
None
usage Enum Purpose of FTP connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

GeneralConnection

Usage of General TCP/UDP connection

Field Type Description Required Default
client_ip IP Client IP
Optional
None
client_port Integer Client Port
Optional
None
server_ip IP Server IP
Optional
None
server_domain Domain Server Domain
Optional
None
server_port Integer Server Port
Optional
None
usage Enum Purpose of TCP/UDP connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

HTTP

Usage of HTTP connection

Field Type Description Required Default
uri URI URI
Optional
None
protocol Enum Protocol
Values:
"http", "https"
Optional
None
username Text Username
Optional
None
password Text Password
Optional
None
hostname Text HTTP server
Optional
None
port Integer HTTP Port
Optional
None
path URIPath URI Path
Optional
None
query Text Query parameters
Optional
None
fragment Text Fragment
Optional
None
user_agent Text User Agent
Optional
None
method Enum Method
Values:
"BCOPY", "BDELETE", "BMOVE", "BPROPFIND", "BPROPPATCH", "CONNECT", "COPY", "DELETE", "GET", "HEAD", "LOCK", "MKCOL", "MOVE", "NOTIFY", "OPTIONS", "PATCH", "POLL", "POST", "PROPFIND", "PROPPATCH", "PUT", "SEARCH", "SUBSCRIBE", "TRACE", "UNLOCK", "UNSUBSCRIBE", "X-MS-ENUMATTS"
Optional
None
headers Mapping [String, Text] HTTP Headers
Optional
None
max_size Integer Maximum size
Optional
None
usage Enum Purpose of HTTP connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

IPC

Inter-Process Communications

Field Type Description Required Default
file List [Text] A record stored on disk, or a record synthesized on demand by a file server, which can be accessed by multiple processes.
Optional
None
socket List [Text] Data sent over a network interface, either to a different process on the same computer or to another computer on the network. Stream oriented (TCP; data written through a socket requires formatting to preserve message boundaries) or more rarely message-oriented (UDP, SCTP).
Optional
None
unix_domain_socket List [Text] Similar to an internet socket, but all communication occurs within the kernel. Domain sockets use the file system as their address space. Processes reference a domain socket as an inode, and multiple processes can communicate with one socket.
Optional
None
memory_mapped_file List [Text] A file mapped to RAM and can be modified by changing memoryaddresses directly instead of outputting to a stream. This shares the same benefits as a standard file.
Optional
None
message_queue List [Text] A data stream similar to a socket, but which usually preserves message boundaries. Typically implemented by the operating system, they allow multiple processes to read and write to the message queue without being directly connected to each other.
Optional
None
anonymous_pipe List [Text] A unidirectional data channel using standard input and output. Data written to the write-end of the pipe is buffered by the operating system until it is read from the read-end of the pipe. Two-way communication between processes can be achieved by using two pipes in opposite "directions".
Optional
None
named_pipe List [Text] A pipe that is treated like a file. Instead of using standard input and output as with an anonymous pipe, processes write to and read from a named pipe, as if it were a regular file.
Optional
None
process_names List [Text] The process names involved in the IPC communication
Optional
None
shared_memory Text Multiple processes are given access to the same block of memory, which creates a shared buffer for the processes to communicate with each other.
Optional
None
usage Enum Purpose of connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

Path

File Paths

Field Type Description Required Default
path Text Path
Optional
None
usage Enum Use of path
Values:
"c2", "config", "install", "logs", "other", "plugins", "storage"
Optional
None

Proxy

Usage of Proxy connection

Field Type Description Required Default
username Text Username
Optional
None
password Text Password
Optional
None
hostname Text Proxy Host
Optional
None
port Integer Proxy Port
Optional
None
usage Enum Purpose of proxy connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None
protocol Text Protocol used
Optional
None

Registry

Registry

Field Type Description Required Default
key Text Registry key
Yes
None
value Text Registry
Optional
None
usage Enum Use of registry key
Values:
"other", "persistence", "read", "store_data", "store_payload"
Optional
None

SMTP

Usage of SMTP connection

Field Type Description Required Default
username Text Username
Optional
None
password Text Password
Optional
None
hostname Text SMTP Host
Optional
None
port Integer SMTP Port
Optional
None
mail_to List [Text] Sent to
Optional
None
mail_from Text Sent from
Optional
None
subject Text Subject
Optional
None
usage Enum Purpose of SMTP connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

SSH

Usage of SSH connection

Field Type Description Required Default
username Text Username
Optional
None
password Text Password
Optional
None
public_key Text SSH Public Key
Optional
None
hostname Text SSH Host
Optional
None
port Integer SSH Port
Optional
None
usage Enum Purpose of SSH connection
Values:
"c2", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload"
Optional
None

Service

Operating System services affected

Field Type Description Required Default
dll Text DLL associated to service
Optional
None
name Text Name of service
Optional
None
display_name Text Display Name of service
Optional
None
description Text Service Description
Optional
None