Malware Family

Information about malware families

🚧

Special privileges required

Malware families are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Malware families objects are highly contextualized and detailed by our Google TI experts who are constantly and actively tracking them.

Object Attributes

A malware family object contains the following attributes:

  • aggregations: <dictionary> dictionary of commonalities between the different IoCs associated with the malware family, grouped by IoC type (files, URLs, domains, IP addresses).
    • domains: <dictionary> technical commonalities among all domains tied to the malware family.
    • files: <dictionary> technical commonalities among all files tied to the malware family.
    • ip_addresses: <dictionary> technical commonalities among all IP addresses tied to the malware family.
    • urls: <dictionary> technical commonalities among all URLs tied to the malware family.
  • alt_names_details: <list of dictionaries> dictionary of alternative names / aliases by which the malware family could be known, including additional information such as the confidence of the attribution or information and the first and last attribution dates for this particular attribute.
    • confidence: <string> confidence on the information or the attribution of the alternative name to the malware family.
    • description: <string> additional information related to the alternative name.
    • first_seen: <integer> the first time that alternative name was attributed to the malware family (UTC timestamp).
    • last_seen: <integer> the last time that alternative name was attributed to the malware family (UTC timestamp).
    • value: <string> alternative name / alias.
  • capabilities: <list of dictionaries> list of capabilities associated to malware family's files.
    • confidence: <string> the confidence of the malware family's associated capability.
    • description: <string> description of the capability.
    • first_seen: <integer> the first time when the capability was associated to the malware family (UTC timestamp).
    • last_seen: <integer> the last time when the capability was associated to the malware family (UTC timestamp).
    • value: <string> capability name.
  • collection_type: <string> identifies the type of the object. For Malware families the value of this attribute is malware_family.
  • counters: <dictionary> dictionary of counters of related objects.
    • attack_techniques: <integer> number of MITRE ATT&CK techniques associated with the malware family.
    • domains: <integer> number of domains related to the malware family.
    • files: <integer> number of files related to the malware family.
    • iocs: <integer> number of IoCs (files + URLs + domains + IP addresses) related to the malware family.
    • ip_addresses: <integer> number of IP addresses related to the malware family.
    • subscribers: <integer> number of users subscribed to the malware family.
    • urls: <integer> number of URLs related to the malware family.
  • creation_date: <integer> malware family object creation date (UTC timestamp).
  • description: <string> description / context about the malware family.
  • detection_names: <list of dictionaries> list of external detection names associated with the malware family with additional context.
    • confidence: <string> the confidence of the detection name associated to the malware family.
    • description: <string> descriptive information related to the detection name.
    • first_seen: <integer> the first time when the detection name was associated to the malware family (UTC timestamp).
    • last_seen: <integer> the last time when the detection name was associated to the malware family (UTC timestamp).
    • value: <string> the detection name.
  • first_seen_details: <list of dictionaries> dictionaries with additional information related to the malware family's first activity, differentiating between confirmed and unconfirmed activity.
    • confidence: <string> confidence on the information or the attribution of the first activity seen related to the malware family.
    • description: <string> description / additional information about the first activity seen related to the malware family.
    • first_seen: <integer> the first time this first activity date has been attributed to the malware family (UTC timestamp).
    • last_seen: <integer> the last time this first activity date has been attributed to the malware family (UTC timestamp).
    • value: <string> date when the first observation about that malware family was made ("YYYY-MM-DDTHH:mm:ssZ" format).
  • last_modification_date: <integer> last time when the malware family's information was updated (UTC timestamp).
  • last_seen_details: <list of dictionaries> dictionaries with additional information related to the malware family's last activity, differentiating between confirmed and unconfirmed activity.
    • confidence: <string> confidence on the information or the attribution of the last activity seen related to the malware family.
    • description: <string> description / additional information about the last activity seen related to the malware family.
    • first_seen: <integer> the first time this last activity date has been attributed to the malware family (UTC timestamp).
    • last_seen: <integer> the last time this last activity date has been attributed to the malware family (UTC timestamp).
    • value: <string> date when the last observation about that malware family was made ("YYYY-MM-DDTHH:mm:ssZ" format).
  • malware_roles: <list of dictionaries> the list of malware roles associated to the malware family.
    • confidence: <string> the confidence of the malware family's associated role.
    • description: <string> descriptive information related to the malware family's associated role.
    • first_seen: <integer> the first time when the malware role was associated to the malware family (UTC timestamp).
    • last_seen: <integer> the last time when the malware role was associated to the malware family (UTC timestamp).
    • value: <string> the malware role name associated to the malware family.
  • name: <string> malware family's name.
  • operating_systems: <list of dictionaries> operating systems affected by the malware family. Possible values: Android, BSD, FreeBSD, Linux, Mac, Unix, VMkernel, Windows, iOS.
    • confidence: <string> the confidence that the operating system is affected by the malware family.
    • description: <string> descriptive information related to the malware family's targeted operating system.
    • first_seen: <integer> the first time when the operting system was associated to the malware family (UTC timestamp).
    • last_seen: <integer> the last time when the operting system was associated to the malware family (UTC timestamp).
    • value: <string> operating system name.
  • origin: <string> identifies the source of the information. Partner for curated objects from trusted partners and security researchers and Google Threat Intelligence for curated objects from our Google TI experts.
  • private: <boolean> whether the malware family object is private or not.
  • recent_activity_relative_change: <float> rratio of change between the last two "recent activity" periods. Note: "recent activity" refers to a period of 14 days.
  • recent_activity_summary: <list of integers> time series representing the activity of the indicators of compromise related to the malware family. (2 weeks)
  • source_regions_hierarchy: <list of dictionaries> country or region from which the malware family is known to originate.
    • confidence: <string> confidence on the information related to the source region of the malware family.
    • country: <string> country from which malware family is known to originate.
    • country_iso2: <string> source country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information about the source region of the malware family.
    • first_seen: <integer> the first time this source region was attributed to the malware family (UTC timestamp).
    • last_seen:<integer> the last time this source region was attributed to the malware family (UTC timestamp).
    • region: <string> region from which the malware family is known to originate.
    • source: <string> information's supplier.
    • sub_region: <string> subregion from which the malware family is known to originate.
  • status: <string> ndicates if the object has attributes pending to be computed again (e.g. top_icon_md5 after making changes). The possible values are PENDING_RECOMPUTE and COMPUTED.
  • tags_details: <list of dictionaries> dictionaries of tags associated with the malware family with additional context.
    • confidence: <string> confidence on the information or the tag association to the malware family.
    • description: <string> description / additional information related to the tag associated to the malware family.
    • first_seen: <integer> the first time this tag was attributed to the malware family (UTC timestamp).
    • last_seen: <integer> the last time this tag was attributed to the malware family (UTC timestamp).
    • value: <string> value of the tag.
  • targeted_industries_tree: <list of dictionaries> list of industries and industry groups known to be targeted by the malware family.
    • confidence: <string> confidence on the information or the industry targeted by the malware family.
    • description: <string> description / additional information related to the industry targeted by the malware family.
    • first_seen: <integer> the first time this targeted industry was associated with the malware family (UTC timestamp).
    • industry: <string> sub-industry targeted by the malware family.
    • industry_group: <string> industry group targeted by the malware family.
    • last_seen: <integer> the last time this targeted industry was associated with the malware family (UTC timestamp).
    • source: <string> information's supplier.
  • targeted_regions_hierarchy: <list of dictionaries> list of regions and countries known to be targeted by the malware family.
    • confidence: <string> confidence on the information or the malware family's targeted region association.
    • country: <string> malware family's targeted country.
    • country_iso2: <string> targeted country in ISO 3166 Alpha2 - code format.
    • description: <string> description / additional information related to the malware family's targeted region.
    • first_seen: <integer> the first time this targeted region was associated with the current malware family (UTC timestamp).
    • last_seen:<integer> the last time this targeted region was associated with the current malware family (UTC timestamp).
    • region: <string> malware family's targeted region.
    • source: <string> information's supplier.
    • sub_region: <string> malware family's targeted sub-region.
  • top_icon_md5: <list of strings> list of the 3 most frequent icons among the malware family's associated IoCs (file's icons, URLs and domain's favicons). Favicons are represented by their MD5 hash.

Relationships

In addition to the previously described attributes, malware families objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

RelationshipReturn object type
associationsList of all objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) associated with the current malware family, without filtering by the object type.
attack_techniquesList of MITRE ATT&CK techniques.
autogenerated_graphsList of graphs related to the current malware family.
campaignsList of associated Campaign objects.
collectionsList of associated IoC collection objects.
commentsList of Comments.
domainsList of Domains associated with the malware family.
editorsList of users, groups and data connectors that can edit this threat actor (only available to the owner or editor of the entity).
filesList of Files associated with the malware family.
hunting_rulesetsList of curated YARA rulesets assigned by the entity owner.
ip_addressesList of IP addresses associated with the malware family.
malware_familiesList of associated Malware family objects.
ownerUser who created the object.
related_collectionsList of objects (Reports, Campaigns, IoC collections, Malware families, Software and Toolkits, Vulnerabilities, Threat Actors) containing IoCs associated with this entity.
reportsList of associated Report objects.
sigma_rulesList of crowdsourced SIGMA rulesets matching at least one file associated with this malware family.
software_toolkitsList of associated Software or Toolkit objects.
threat_actorsList of other threat actors associated to the current malware family.
urlsList of URLs associated with the malware family.
viewersList of users, groups and data connectors that can view the entity (only available to the owner or editor of the entity).
vulnerabilitiesList of associated Vulnerability objects.
yara_rulesetsList of crowdsourced YARA rulesets matching at least one file associated with this malware family.