In my younger years I had all sorts of collections: books, bottle caps, rocks, coins, action figures, movies, etc. Now, most of those collections sit at the back of my parents shed – although I do still have a tendency to hoard movies.

To many the idea of hoarding malware would be akin to hoarding venomous snakes in a dogs cage. What if one escapes? But, it does serve a very useful purpose of providing huge datasets for analysis – allowing for the creation of new signatures and anti-malware techniques whilst also improving malware analysis abilities.


When I first began developing my malware zoo I was mostly populating it with:

  • Samples pulled down from the wild using Rag Picker.
  • Samples from my honeypots (you can find my “instant honeypot” Vagrant script here).
  • Samples handed to me by staff in my company.

The issues being:

  • Rag Picker hasn’t been updated in about a year. Many of the sources are no longer updated or no longer online, and it’s unnecessarily complicated.
  • Most of the samples my honetpot captures are months old – although it does get the occasional unknown.
  • I want more than the two samples I get from staff most days.

I quite liked the approach that Rag Picker had, but felt there was a plenty of room for improvement. So, I began redeveloping it.

A few days of development led to the initial release of ph0neutria. Named after the aggressive Brazillian Wandering Spider, ph0neutria made a few improvements on what Rag Picker presently offered:

  • It limits the scope of crawling to only what’s defined in reputable and frequently updated lists.
  • It offers only a single, reliable and well organised storage mechanism: Viper Framework.
  • It does not attempt to do work that can instead be done by Viper.

At present, ph0neutria sources lists from MalShare, Malc0de and VX Vault. Only the lists can be sourced from Malc0de and VX Vault, whereas the MalShare API can also be used to obtain binaries where they have been removed from their original source. As the MalShare API only permits 1000 sample requests per day (although most days there is no more than this offered), I’ve made a few configuration options that can help reduce reliance on the API (and thus reduce load on their API):

  • Attempt to retrieve files from the wild first.
  • Retrieve files only from the wild.
  • Disable MalShare and only retrieve files from the lists obtained from Malc0de and VX Vault.

The work flow is fairly simple:

  • Obtain the lists.
    • MD5 hash list: used to retrieve files from the MalShare API. It’s first ensured that there’s no file in Viper with the same hash.
    • URL lists: used to retrieve files from the wild. As Viper currenlty converts all tags to lowercase, a hash is taken of the URL and stored as a tag so that it can be later used to verify if a file from a specific URL has been loaded into Viper.
  • Pull down the files to a temporary location.
  • If required, generate an MD5 checksum of the files and ensure they aren’t already in Viper.
  • Load new samples into Viper with the following tags:
    • MD5 checksum of file.
    • Source domain.
    • Source URL.
    • MD5 checksum of URL.
    • Date.
  • Interact with the files in Viper:
    • Download to disk.
    • Send them to Cuckoo.
    • Send them to VirusTotal.
    • Extract strings, metadata, etc.
    • Parse for shellcode patterns.
    • Scan with Yara rules.
    • etc.

It really is an awesome framework.


ph0neutria cli
viper – file list
viper – viewing a file (tags can be used to list samples with common elements)
viper – running virustotal module (requires api key)
viper – hex view of binary


You can get the source and installation instructions for ph0neutria on GitHub.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s