MalPull 1.4-stable release

MalPull is designed to download malware samples in bulk using a minimal amount of API calls from services that limit requests. Version 1.4-stable shakes things up, as the command-line interface is changed, a new service is added, dependencies are added, and other minor improvements are included.

The program’s source code and precompiled Java Archive can be found on GitHub. The latest release is also available on GitHub.

Table of contents

A new CLI

The original command-line interface required four arguments, namely the amount of threads to simultaneously use, the location of the keys.txt file, the file with the hashes in them, and the output folder. An example can be seen below.

java -jar /path/to/MalPull.jar 6 ~/Downloads/malpull_test/keys.txt ~/Downloads/malpull_test/hashes.txt ~/Downloads/malpull_test/output/

The new command-line interface is easier to use, as it limits the arguments to those that vary per use: the (relative) destination folder and the hash(es) of the sample(s) to download. An example is given below.

java -jar /path/to/MalPull.jar /sample/destination/ hash1 hash2 hashN

The keys.txt file needs to be in the same folder as MalPull’s JAR. There is no need for a hashes.txt file anymore.

Note that the new command-line interface is especially usefully when MalPull is directly accessed from the terminal, be it via a path variable or an alias.

The amount of threads to simultaneously use is now set in the keys.txt file using threads=N where N is a valid integer. The value is checked when starting MalPull.

This change is only affecting the default command-line interface, which is included in the source code and the pre-built Java archives on GitHub. The modular architecture of the program remains unaffected, meaning that custom command-line interfaces, or implementations within other tools when using MalPull as a library, are not affected by this change. More information on the modular architecture can be found in version 1.3-stable’s release notes.

A new service

VirusShare is a public repository with malware samples. Requesting an account and generating an API key is required in order to use this service. Using the API is possible, with a maximum of 4 requests per minute, for every minute of the day. To use the service, simply include virusshare=N in the keys.txt file where N is the VirusShare API key.

Note that issuing more than 4 requests per minute to this service, will result in MalPull assuming the sample is not on VirusShare, as it receives an invalid response based on the imposed rate limit. For individual uses, this is not a problem, although it might be in automated use cases.

Introducing dependencies

The connections towards Triage, MalShare, and Malware Bazaar are now done via their Java API client libraries, which I have published over time. Note that all of these libraries are completely open-source. Make sure to install these, as explained on the Maven website. The excerpt below, taken from the linked Maven website, shows how to install the libraries on your system, which needs to be done prior to building MalPull!

mvn install:install-file -Dfile=<path-to-file> -DpomFile=<path-to-pomfile>

Not doing this will lead to build failure errors!

Minor updates

This release contains other minor updates, none of which warrant their own heading, but the improvements shouldn’t be left out of the release notes.

The VirusTotal downloads are now done via the APIv3, rather than APIv2. Both are functioning, but the APIv3 is maintained, in contrast to the APIv2.

Some of the functions were missing documentation, or the documentation contained grammatical errors. These have now been fixed.

The keys.txt file can now contain blank lines, as these are filtered upon reading the file. There was a more error prone filtering system in-place before.

The used platforms are now shown during runtime, prior to downloading the samples.

The Zip4j dependency’s version has been updated to version 11.2.0, which has been released on the 12th of September 2022 and is the latest version at the time of this release.


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.