Software, such as malware, may be classified using phylogenetic techniques. An evolutionary history of a representative set of software programs may be reconstructed to generate a reference phylogeny. Dynamic traces of the representative software programs may be obtained. The dynamic traces may include time-ordered sequences of execution commands extracted from running software binaries. Metrics may be developed using the dynamic traces. One or more unknown software programs may then be classified against the reference phylogeny using the metrics developed using the dynamic traces of the representative set of software programs.