The MBC malware corpus comprises a variety of malware where each entry is decomposed into behaviors that are mapped to ATT&CK and MBC. The mappings are based on open source malware analysis reports and are separated into three categories: "ATT&CK Techniques," "Enhanced ATT&CK Techniques," and "MBC Behaviors."
ATT&CK Techniques - If a malware entry is not included in ATT&CK's software collection, then all ATT&CK techniques to which its malware behaviors map are listed. If a malware entry is included in ATT&CK's software collection, then the corresponding software page is referenced under "ATT&CK Techniques" (individual mappings not captured in ATT&CK are still listed). These techniques have T identifiers (e.g., T1012).
Enhanced ATT&CK Techniques - Any ATT&CK techniques that would be listed under "ATT&CK Techniques" but have been enhanced in MBC are listed in this section instead. These techniques have E and F identifiers (e.g., E1560, F0008).
MBC Behaviors - This section lists all MBC behaviors to which an entry's malware behaviors map. These techniques have B and C identifiers (e.g., B0032, C0010).
Please see Poison-Ivy X0014 and Kovter X0009 for examples of malware entries included and not included in ATT&CK's collection, respectively.
- Bagle X0001
- Black Energy X0002
- Conficker X0003
- CryptoLocker X0030
- CryptoWall X0029
- Dark Comet X0004
- DNSChanger X0005
- Emotet X0028
- Gamut X0006
- Geneio X0007
- GotBotKR X0027
- GravityRAT X0032
- Heriplor X0026
- Hupigon X0008
- Kovter X0009
- Kraken X0010
- Locky Bart X0011
- Mazarbot X0012
- Mebromi X0013
- Poison-Ivy X0014
- Redhip X0015
- Rombertik X0031
- SamSam X0016
- SearchAwesome X0017
- Shamoon X0018
- Stuxnet X0019
- SYNful Knock X0020
- Terminator X0021
- TrickBot X0025
- UP007 X0033
- Ursnif X0022
- WebCobra X0023
- YiSpecter X0024