Ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
It aims to:
What does the name mean? “Phoneutria nigriventer” is commonly known as the Brazillian Wandering Spider: https://en.wikipedia.org/wiki/Brazilian_wandering_spider
Also Read – PAnalizer : Forensic Tool Search Images In A Specific Directory
Sources
As of version 1.0.0 all sources are created as ‘plugins’, found in the plugin sub-directory of the core scripts folder. Default sources are:
Each plugin has parameters that must be completed prior to operation. You’ll find these at the top of each plugin file.
VirusTotal is a core component of ph0neutria that cannot be disabled. IP lists are fed into it to discover URL’s that are known for the IP’s. If you have a standard 5 request/minute API key then I’d encourage being conservative with what you feed it. You can do this by:
Screenshots
Installation
The following script will install ph0neutria along with Viper and Tor:
wget https://raw.githubusercontent.com/phage-nz/ph0neutria/master/install.sh
chmod +x install.sh
sudo ./install.sh
Optional
Configure additional ClamAV signatures:
cd /tmp
git clone https://github.com/extremeshok/clamav-unofficial-sigs
cd clamav-unofficial-sigs
cp clamav-unofficial-sigs.sh /usr/local/bin
chmod 755 /usr/local/bin/clamav-unofficial-sigs.sh
mkdir /etc/clamav-unofficial-sigs
cp config/* /etc/clamav-unofficial-sigs
cd /etc/clamav-unofficial-sigs
Rename os..conf to os.conf, for example:
mv os.ubuntu.conf os.conf
Modify configuration files:
mkdir /var/log/clamav-unofficial-sigs
clamav-unofficial-sigs.sh –install-cron
clamav-unofficial-sigs.sh –install-logrotate
clamav-unofficial-sigs.sh –install-man
clamav-unofficial-sigs.sh
cd /tmp/clamav-unofficial-sigs
cp systemd/* /etc/systemd
cd ..
rm -rf clamav-unofficial-sigs*
It’ll take a while to pull down the new signatures – during which time ClamAV may not be available.
Take precautions when piecing together your malware zoo:
Ensure Tor is started:
service tor restart
Start the Viper API and web interface:
cd /opt/viper
sudo -H -u spider python3 viper-web
Take note of the admin password that is created when Viper is started. Use this to log into http://<viper IP\>:<viper port>/admin
(default: http://127.0.0.1:8080/admin
) and retrieve the API token from the Tokens page.
The main Viper web interface will be available at http://<viper IP>:<viper port>
(default: http://127.0.0.1:8080
).
/opt/ph0neutria/core/config/settings.conf
/opt/ph0neutria/core/plugins/*.py
Start ph0neutria:
cd /opt/ph0neutria
sudo -H -u spider python3 run.py
You can press Ctrl+C at any time to kill the run. You are free to run it again as soon as you’d like – you can’t end up with database duplicates.
To run this daily, create a script in /etc/cron.daily with the following:
!/bin/bash
cd /opt/ph0neutria && sudo -H -u spider python3 run.py*
Tags and Notes
Tags:
{1},{2},{3}
Notes:
{1)({2}) via {3}
The original name of the file forms the identifying name within Viper.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…