ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
Switch branches/tags
Nothing to show
Clone or download
Latest commit f2e9f5d Sep 28, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
core MalShare HTTPS. Sep 28, 2018
data v1.0.0 initial commit. Sep 14, 2018
res v1.0.0 initial commit. Sep 14, 2018
tmp v1.0.0 initial commit. Sep 14, 2018
LICENSE Create LICENSE Mar 4, 2018
__init__.py v1.0.0 initial commit. Sep 14, 2018
install.sh v1.0.0 initial commit. Sep 14, 2018
readme.md Readme update. Sep 14, 2018
requirements.txt v1.0.0 initial commit. Sep 14, 2018
run.py v1.0.0 initial commit. Sep 14, 2018

readme.md

ph0neutria

ph0neutria malware crawler
v1.0.0
https://github.com/phage-nz/ph0neutria

About

ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.

This project was inspired by Ragpicker (https://github.com/robbyFux/Ragpicker, formerly known as "Malware Crawler"). However, ph0neutria aims to:

  • Limit the scope of crawling to only frequently updated and reliable sources.
  • Maximise the effectiveness of individual indicators.
  • Offer a single, reliable and well organised storage mechanism.
  • Not do work that can instead be done by Viper.

What does the name mean? "Phoneutria nigriventer" is commonly known as the Brazillian Wandering Spider: https://en.wikipedia.org/wiki/Brazilian_wandering_spider

Sources

As of version 1.0.0 all sources are created as 'plugins', found in the plugin sub-directory of the core scripts folder. Default sources are:

  • CleanMX (requires approved user-agent).
  • Cymon, which includes: Abuse.ch trackers, Bambenek C2 feed, Cyber Crime Tracker, Malc0de, URLVir and VX Vault.
  • Hybrid Analysis (requires vetted API key).
  • OTX.
  • Shodan, using the Malware Hunter search facility.
  • URLhaus.

Each plugin has parameters that must be completed prior to operation. You'll find these at the top of each plugin file.

VirusTotal is a core component of ph0neutria that cannot be disabled. IP lists are fed into it to discover URL's that are known for the IP's. If you have a standard 5 request/minute API key then I'd encourage being conservative with what you feed it. You can do this by:

  • Reducing the number of Cymon feeds.
  • Reducing your OTX subscription count.
  • Setting the Hybrid Analysis SCORE_MIN parameter to 100.

Screenshots

CLI
CLI
CLI
Web
Web
Web

Version Notes

  • 0.6.0: Tor proxying requires pysocks (pip install pysocks) and at least version 2.10.0 of python requests for SOCKS proxy support.
  • 0.9.0: OSINT functionality pulled from Phage Malware Tracker (private project) - requires VirusTotal API key. More robust retrieval of wild files. Local URL and hash caching (reduces API load).
  • 0.9.1: Updated to use V3 Viper API. No longer compatiable with V2.
  • 1.0.0: Major update. Pull from Safari Guide malware pipeline. Plugin architecture. Python 3.0.

Installation

The following script will install ph0neutria along with Viper and Tor:

wget https://raw.githubusercontent.com/phage-nz/ph0neutria/master/install.sh  
chmod +x install.sh  
sudo ./install.sh  

Simple as that!

Optional:

Configure additional ClamAV signatures:

cd /tmp  
git clone https://github.com/extremeshok/clamav-unofficial-sigs  
cd clamav-unofficial-sigs  
cp clamav-unofficial-sigs.sh /usr/local/bin  
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh  
mkdir /etc/clamav-unofficial-sigs  
cp config/* /etc/clamav-unofficial-sigs  
cd /etc/clamav-unofficial-sigs

Rename os..conf to os.conf, for example:

mv os.ubuntu.conf os.conf  

Modify configuration files:

  • master.conf: search for "Enabled Databases" and enable/disable desired sources.
  • user.conf: uncomment the required lines for sources you have enabled and complete them. user.conf overrides master.conf. You must uncomment user_configuration_complete="yes" once you've completed setup for the following commands to succeed.

For more configuration info see: https://github.com/extremeshok/clamav-unofficial-sigs

mkdir /var/log/clamav-unofficial-sigs  
clamav-unofficial-sigs.sh --install-cron  
clamav-unofficial-sigs.sh --install-logrotate  
clamav-unofficial-sigs.sh --install-man  
clamav-unofficial-sigs.sh  
cd /tmp/clamav-unofficial-sigs  
cp systemd/\* /etc/systemd  
cd ..  
rm -rf clamav-unofficial-sigs*  

It'll take a while to pull down the new signatures - during which time ClamAV may not be available.

Usage

Take precautions when piecing together your malware zoo:

Ensure Tor is started:

service tor restart

Start the Viper API and web interface:

cd /opt/viper  
sudo -H -u spider python3 viper-web

Take note of the admin password that is created when Viper is started. Use this to log into http://<viper IP\>:<viper port>/admin (default: http://127.0.0.1:8080/admin) and retrieve the API token from the Tokens page.

The main Viper web interface will be available at http://<viper IP>:<viper port> (default: http://127.0.0.1:8080).

  • Complete the config file at: /opt/ph0neutria/core/config/settings.conf
  • Complete the parameters at the top of each plugin. If you wish to disable the plugin, set DISABLED = True: /opt/ph0neutria/core/plugins/*.py

Start ph0neutria:

cd /opt/ph0neutria  
sudo -H -u spider pytho3n run.py

You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you'd like - you can't end up with database duplicates.

To run this daily, create a script in /etc/cron.daily with the following:

#!/bin/bash  
cd /opt/ph0neutria && sudo -H -u spider python3 run.py*

Tags and Notes

Tags:
{1},{2},{3}

  • Date stamp.
  • Sample domain.
  • Host ASN.
  • Host country.

Notes:
{1)({2}) via {3}

  • Sample URL.
  • Host IP address.
  • URL source.

The original name of the file forms the identifying name within Viper.

References