{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://raw.githubusercontent.com/api-evangelist/us-cyber-command/refs/heads/main/json-schema/uscybercom-malware-sample-schema.json",
  "title": "MalwareSample",
  "description": "A malware sample shared by USCYBERCOM's Cyber National Mission Force (CNMF) via VirusTotal, attributed to a state-sponsored threat actor.",
  "type": "object",
  "properties": {
    "sha256": {
      "type": "string",
      "description": "SHA-256 hash of the malware sample file.",
      "pattern": "^[0-9a-fA-F]{64}$",
      "example": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
    },
    "md5": {
      "type": "string",
      "description": "MD5 hash of the malware sample file.",
      "pattern": "^[0-9a-fA-F]{32}$"
    },
    "sha1": {
      "type": "string",
      "description": "SHA-1 hash of the malware sample file.",
      "pattern": "^[0-9a-fA-F]{40}$"
    },
    "file_name": {
      "type": "string",
      "description": "Original filename of the malware sample, if known.",
      "example": "update.exe"
    },
    "file_type": {
      "type": "string",
      "description": "File type or format of the malware sample.",
      "example": "PE32 executable"
    },
    "date_shared": {
      "type": "string",
      "format": "date",
      "description": "Date CNMF shared the sample on VirusTotal."
    },
    "threat_actor": {
      "type": "string",
      "description": "Threat actor or group to which this sample is attributed.",
      "example": "Lazarus Group"
    },
    "nation_state": {
      "type": "string",
      "description": "Nation-state sponsor attributed to the threat actor.",
      "enum": [
        "Russia",
        "Iran",
        "North Korea",
        "China",
        "Other",
        "Unknown"
      ]
    },
    "malware_family": {
      "type": "string",
      "description": "Name of the malware family or variant.",
      "example": "MuddyWater"
    },
    "malware_type": {
      "type": "string",
      "description": "Classification of malware functionality.",
      "enum": [
        "Remote Access Trojan",
        "Backdoor",
        "Ransomware",
        "Wiper",
        "Dropper",
        "Loader",
        "Keylogger",
        "Credential Stealer",
        "Destructive Malware",
        "Spyware",
        "Rootkit"
      ]
    },
    "virustotal_url": {
      "type": "string",
      "format": "uri",
      "description": "VirusTotal URL for this malware sample.",
      "example": "https://www.virustotal.com/gui/file/a1b2c3d4e5f6/detection"
    },
    "advisory_url": {
      "type": "string",
      "format": "uri",
      "description": "URL to the USCYBERCOM news release or advisory accompanying this sample."
    },
    "iocs": {
      "type": "array",
      "description": "Indicators of Compromise associated with this malware sample.",
      "items": {
        "type": "object",
        "properties": {
          "type": {
            "type": "string",
            "enum": ["IP", "Domain", "URL", "File Hash", "Email", "Registry Key"],
            "description": "Type of indicator."
          },
          "value": {
            "type": "string",
            "description": "Value of the indicator."
          }
        },
        "required": ["type", "value"]
      }
    }
  },
  "required": ["sha256", "date_shared", "nation_state"]
}