Uscybercom Malware Sample Structure
A malware sample shared by USCYBERCOM's Cyber National Mission Force (CNMF) via VirusTotal, attributed to a state-sponsored threat actor.
Type: object
Properties: 13
Required: 3
CybersecurityFederal GovernmentMilitaryThreat IntelligenceDefense
MalwareSample is a JSON Structure definition published by US Cyber Command, describing 13 properties, of which 3 are required. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.
{
"$schema": "https://json-structure.org/meta/core/v0/#",
"$id": "https://raw.githubusercontent.com/api-evangelist/us-cyber-command/refs/heads/main/json-structure/uscybercom-malware-sample-structure.json",
"name": "MalwareSample",
"description": "A malware sample shared by USCYBERCOM's Cyber National Mission Force (CNMF) via VirusTotal, attributed to a state-sponsored threat actor.",
"type": "object",
"properties": {
"sha256": {
"type": "string",
"description": "SHA-256 hash of the malware sample file.",
"pattern": "^[0-9a-fA-F]{64}$",
"example": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
},
"md5": {
"type": "string",
"description": "MD5 hash of the malware sample file.",
"pattern": "^[0-9a-fA-F]{32}$"
},
"sha1": {
"type": "string",
"description": "SHA-1 hash of the malware sample file.",
"pattern": "^[0-9a-fA-F]{40}$"
},
"file_name": {
"type": "string",
"description": "Original filename of the malware sample, if known.",
"example": "update.exe"
},
"file_type": {
"type": "string",
"description": "File type or format of the malware sample.",
"example": "PE32 executable"
},
"date_shared": {
"type": "date",
"description": "Date CNMF shared the sample on VirusTotal."
},
"threat_actor": {
"type": "string",
"description": "Threat actor or group to which this sample is attributed.",
"example": "Lazarus Group"
},
"nation_state": {
"type": "string",
"description": "Nation-state sponsor attributed to the threat actor.",
"enum": [
"Russia",
"Iran",
"North Korea",
"China",
"Other",
"Unknown"
]
},
"malware_family": {
"type": "string",
"description": "Name of the malware family or variant.",
"example": "MuddyWater"
},
"malware_type": {
"type": "string",
"description": "Classification of malware functionality.",
"enum": [
"Remote Access Trojan",
"Backdoor",
"Ransomware",
"Wiper",
"Dropper",
"Loader",
"Keylogger",
"Credential Stealer",
"Destructive Malware",
"Spyware",
"Rootkit"
]
},
"virustotal_url": {
"type": "uri",
"description": "VirusTotal URL for this malware sample.",
"example": "https://www.virustotal.com/gui/file/a1b2c3d4e5f6/detection"
},
"advisory_url": {
"type": "uri",
"description": "URL to the USCYBERCOM news release or advisory accompanying this sample."
},
"iocs": {
"type": "array",
"description": "Indicators of Compromise associated with this malware sample.",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": [
"IP",
"Domain",
"URL",
"File Hash",
"Email",
"Registry Key"
],
"description": "Type of indicator."
},
"value": {
"type": "string",
"description": "Value of the indicator."
}
},
"required": [
"type",
"value"
]
}
}
},
"required": [
"sha256",
"date_shared",
"nation_state"
]
}