Categories: Kali Linux

theZoo – A Repository Of LIVE Malwares For Your Own Joy & Pleasure

theZoo purpose is to allow the study of malware and enable people who are interested in malware analysis to have access to live malware, analyses the ways they operate, and maybe even enable advanced and savvy people to block specific malware within their own environment.

We recommend running them in a VM which has no internet connection (or an internal virtual network if you must) and without guest additions or any equivalents. Some of them are worms and will automatically try to spread out. Running them unconstrained means that you will infect yourself or others with vicious and dangerous malware.

Root Files

/conf

The conf folder holds files relevant to the particular running of the program but are not part of the application. You can find the EULA file in the conf and more.

/imports

Contains .py and .pyc import files used by the rest of the application

/malwares/Binaries

The actual malwares samples.

/malware/Source

Malware source code.

Also Read UploadScanner : HTTP file upload scanner for Burp Proxy

theZoo Directory Structure

Each directory is composed of 4 files:

  • Malware files in an encrypted ZIP archive.
  • SHA256 sum of the 1st file.
  • MD5 sum of the 1st file.
  • Password file for the archive.

Structure of maldb.db

maldb.db is the DB which theZoo is acting upon to find malware indexed on your drive. The structure is as follows:

uid,location,type,name,version,author,language,date,architecture,platform,comments,tags
  • UID – Determined based on the indexing process.
  • Location – The location on the drive of the malware you have searched for.
  • Type – Sorts the different types of malware there are. So far we sort by: Virus, Trojans, Botnets, Ransomware, Spyware
  • Name – Just the name of the malware.
  • Version – Nothing to say here as well.
  • Author – … I’m not that into documentation…
  • Programming Language – The state of the malware in regard to source, bin, or which type of source. c/cpp/bin…
  • Date – See ‘Author’ section.
  • Architecture – The arch the platform was build for. Can be x86, x64, arm7….
  • Platform – Win32, Win64, *nix32, *nix64, iOS, android and so on.
  • Comments – Any comments there may be about the item.
  • Tags – Tags matching the item.

An example line will look as follow:

104,Source/Original/Dexter,trojan,Dexter,2,unknown,c,00/05/2013,x86,win32,NULL,Source

Submit Malware

Get the file you want to submit and just run python prep_file.py file_tosubmit.exe. It will create a directory for you. Then just submit that along with the changes to the conf/maldb.db so that we know which malware it is.

Credit: Yuval Nativ, Lahad Ludar, 5fingers

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

14 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

14 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago