MalwareSubjectRelationshipTypeVocab-1.1MAEC Vocabularies Schema

The MalwareSubjectRelationshipTypeVocab is the default MAEC vocabulary for the Malware Subject relationships in a Package, captured via the MalwareSubjectRelationshipType/Type element in the MAEC Package. Starting with MAEC 4.1, this vocabulary should be used in place of the deprecated MalwareSubjectRelationshipTypeVocab-1.0.


Vocabulary Items

Item Description
downloads The 'downloads' value specifies that the Malware Subject downloads one or more other Malware Subject(s).
downloaded by The 'downloaded by' value specifies that the current Malware Subject was downloaded by one or more other Malware Subject(s).
drops The 'drops' value specifies that the Malware Subject drops (or writes to disk) one or more other Malware Subject(s).
dropped by The 'dropped by' value specifies that the current Malware Subject was dropped (or written to disk) by one or more other Malware Subject(s).
extracts The 'extracts' value specifies that the Malware Subject extracts (from an embedded archive or another container) one or more other Malware Subject(s).
extracted from The 'extracted from' value specifies that the current Malware Subject was extracted from one or more other Malware Subject(s).
direct descendant of The 'direct descendant of' value specifies that the current Malware Subject is a direct descendant (i.e. in terms of development lineage) of one or more other Malware Subject(s).
direct ancestor of The 'direct ancestor of' value specifies that the current Malware Subject is a direct ancestor (i.e. in terms of development lineage) of one or more other Malware Subject(s).
memory image of The 'memory image of' value specifies that the current Malware Subject represents a memory image associated with one or more other Malware Subject(s).
contained in memory image The 'contained in memory image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent memory images.
disk image of The 'disk image of' value specifies that the current Malware Subject represents a disk image associated with one or more other Malware Subject(s).
contained in disk image The 'contained in disk image' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent disk images.
network traffic capture of The 'network traffic capture of' value specifies that the current Malware Subject represents captured network traffic associated with one or more other Malware Subject(s).
contained in network traffic capture The 'contained in network traffic capture' value specifies that the current Malware Subject is a malware binary or component contained in one or more other Malware Subject(s) that represent captures of network traffic.
packed version of The 'packed version of' value specifies that the current Malware Subject represents a packed version (in terms of executable binary packing) of one or more other Malware Subject(s).
unpacked version of The 'unpacked version of' value specifies that the current Malware Subject represents an unpacked version (in terms of executable binary packing) of one or more other Malware Subject(s).
installs The 'installs' value specifies that the current Malware Subject installs one or more other Malware Subject(s).
installed by The 'installed by' value specifies that the current Malware Subject is installed by one or more other Malware Subject(s).
64-bit version of The '64-bit version of' value specifies that the current Malware Subject is a 64-bit version of one or more other Malware Subject(s).
32-bit version of The '32-bit version of' value specifies that the current Malware Subject is a 32-bit version of one or more other Malware Subject(s).
encrypted version of The 'encrypted version of' value specifies that the current Malware Subject is an encrypted version of one or more other Malware Subject(s).
decrypted version of The 'decrypted version of' value specifies that the current Malware Subject is a decrypted version of one or more other Malware Subject(s).

Fields

Field Name Type Description
@conditionoptional ConditionTypeEnum

This field is optional and defines the relevant condition to apply to the value.

@is_case_sensitiveoptional boolean

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

@apply_conditionoptional ConditionApplicationEnum

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

@delimiteroptional string

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

@bit_maskoptional hexBinary

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

@pattern_typeoptional PatternTypeEnum

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

@regex_syntaxoptional string

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

@has_changedoptional boolean

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

@trendoptional boolean

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.