Artifacts
Arefer to malware samples that are used to emulate various types of cyber threats. These artifacts are essential components in the platform's testing and validation processes, allowing organizations to emulate real-world attack scenarios in a controlled environment.
Each artifact represents a specific type of threat and is designed to mimic the behavior of actual cyberattacks.
Arifacts Categories in EVE
The EVE platform categorizes samples into three distinct categories: Known, Obfuscated, and Forced. Samples can belong to a single category or be a combination of these categories, such as Known-Obfuscated, Known, Obfuscated, or Forced.
Known These are samples that are well-identified and recognized by the security community. The naming of these artifacts follows a specific structure that helps in easily identifying them based on common names used in the industry.
Obfuscated These samples have undergone a process of obfuscation to alter their appearance and behavior, making them harder to detect by security tools. Obfuscated samples mimic more advanced threats that employ evasion techniques.
Forced Forced samples are those that have been encrypted or modified in such a way that they are designed to bypass security controls, indicating a higher level of manipulation to evade detection.
Zero Samples that are "on-demand" custom created by reveald.
Naming Conventions for Artifacts
Artifacts in EVE are named according to a structured nomenclature that provides clarity and consistency. The naming convention varies depending on whether the artifact is a known, generic, or modified sample.
Known Artifacts (Named)
For named known artifacts, the structure is as follows:
Sample Name: The most common name of the sample, usually found through research on platforms like VirusTotal.
Malware Type: The abbreviation of the malware type from the provided list (e.g., Ransom for ransomware).
Extension: Always
.exe
.
Example: WannaCry.Ransom.exe
Generic Artifacts
For generic known artifacts, the structure is:
First 5 characters of SHA256: A unique identifier derived from the sample's hash.
Malware Type: The abbreviation of the malware type from the provided list.
Extension: Always
.exe
.
Example: e54d1.Adware.exe
Modified Artifacts
Modified artifacts follow similar naming conventions to known artifacts but include an additional identifier for obfuscation or other modifications:
Obf: Indicates that the sample has been obfuscated.
Extension: Always
.exe
.
Example: WannaCry.Ransom.Obf.exe
or e54d1.Adware.Obf.exe
Special Cases
Variants: If a sample has variants, these are specified with a "V" followed by the variant number:
Example:
PetyaRedV2.Ransom.Obf.exe
Re-Obfuscated Samples: If a sample has been obfuscated multiple times, the subsequent obfuscation is indicated by a consecutive number:
Example:
PetyaRedV2.Ransom.Obf.2.exe
Encrypted Samples (Forced): For samples that have been encrypted, the name includes the identifier "F" for forced:
Example:
PetyaRedV2.Ransom.F.exe
Last updated