Ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
It aims to:
What does the name mean? “Phoneutria nigriventer” is commonly known as the Brazillian Wandering Spider: https://en.wikipedia.org/wiki/Brazilian_wandering_spider
Also Read – PAnalizer : Forensic Tool Search Images In A Specific Directory
Sources
As of version 1.0.0 all sources are created as ‘plugins’, found in the plugin sub-directory of the core scripts folder. Default sources are:
Each plugin has parameters that must be completed prior to operation. You’ll find these at the top of each plugin file.
VirusTotal is a core component of ph0neutria that cannot be disabled. IP lists are fed into it to discover URL’s that are known for the IP’s. If you have a standard 5 request/minute API key then I’d encourage being conservative with what you feed it. You can do this by:
Screenshots
Installation
The following script will install ph0neutria along with Viper and Tor:
wget https://raw.githubusercontent.com/phage-nz/ph0neutria/master/install.sh
chmod +x install.sh
sudo ./install.sh
Optional
Configure additional ClamAV signatures:
cd /tmp
git clone https://github.com/extremeshok/clamav-unofficial-sigs
cd clamav-unofficial-sigs
cp clamav-unofficial-sigs.sh /usr/local/bin
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs
cp config/* /etc/clamav-unofficial-sigs
cd /etc/clamav-unofficial-sigs
Rename os..conf to os.conf, for example:
mv os.ubuntu.conf os.conf
Modify configuration files:
mkdir /var/log/clamav-unofficial-sigs
clamav-unofficial-sigs.sh –install-cron
clamav-unofficial-sigs.sh –install-logrotate
clamav-unofficial-sigs.sh –install-man
clamav-unofficial-sigs.sh
cd /tmp/clamav-unofficial-sigs
cp systemd/* /etc/systemd
cd ..
rm -rf clamav-unofficial-sigs*
It’ll take a while to pull down the new signatures – during which time ClamAV may not be available.
Take precautions when piecing together your malware zoo:
Ensure Tor is started:
service tor restart
Start the Viper API and web interface:
cd /opt/viper
sudo -H -u spider python3 viper-web
Take note of the admin password that is created when Viper is started. Use this to log into http://<viper IP\>:<viper port>/admin (default: http://127.0.0.1:8080/admin) and retrieve the API token from the Tokens page.
The main Viper web interface will be available at http://<viper IP>:<viper port> (default: http://127.0.0.1:8080).
/opt/ph0neutria/core/config/settings.conf/opt/ph0neutria/core/plugins/*.pyStart ph0neutria:
cd /opt/ph0neutria
sudo -H -u spider python3 run.py
You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you’d like – you can’t end up with database duplicates.
To run this daily, create a script in /etc/cron.daily with the following:
!/bin/bash
cd /opt/ph0neutria && sudo -H -u spider python3 run.py*
Tags and Notes
Tags:
{1},{2},{3}
Notes:
{1)({2}) via {3}
The original name of the file forms the identifying name within Viper.
Learning Without Walls Remote education has long been a lifeline for students in rural areas…
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…