top of page

Munin Configuration Guide

What is Munin

Munin is online hash checker utility that retrieves valuable information from various online sources

The current version of Munin queries the following services:

  • Virustotal

  • Malshare

  • HybridAnalysis

Note: Munin is based on the script "VT-Checker", which has been maintained in the LOKI repository

Features:-

  • MODE A: Extracts hashes from any text file based on regular expressions

  • MODE B: Walks sample directory and checks hashes online

  • Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)

  • Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file

  • Creates CSV file with the findings for easy post-processing and reporting

  • Appends results to a previous CSV if available

Usage:-

usage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder]

[--nocache] [--nocsv] [--debug]

Online Hash Checker

optional arguments:

-h, --help show this help message and exit

-f path File to process (hash line by line OR csv with hash in

each line - auto-detects position and comment)

-c cache-db Name of the cache database file (default: vt-hash-db.pkl)

-i ini-file Name of the ini file that holds the API keys

-s sample-folder Folder with samples to process

--nocache Do not use cache database file

--nocsv Do not write a CSV with the results

--debug Debug output

Displays

  • Hash and comment (comment is the rest of the line of which the hash has been extracted)

  • AV vendor matches based on a user defined list

  • Filenames used in the wild

  • PE information like the description, the original file name and the copyright statement

  • Signer of a signed portable executable

  • Result based on Virustotal ratio

  • First and last submission

  • Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks

  • Queries Malshare.com for sample uploads

  • Queries Hybrid-Analysis.com for present analysis

  • Imphash duplicates in current batch > allows you to spot overlaps in import table hashes

Get the API Keys used by Munin

Virustotal

  • Create an account here https://www.virustotal.com/#/join-us

  • Check Profile > My API key for your public API key

Malshare

  • Register here https://malshare.com/register.php

Hybrid Analysis

  • Create an account here https://www.hybrid-analysis.com/signup

  • After login, check Profile > API key

Getting started

System Requirement

  • Install 64-bit Ubuntu 16.04

  • RAM 2 GB

Install the required packages in your Ubuntu System

Please follow below process to install required packages on your Ubuntu system.

Update & Upgrade Ubuntu

Command: sudo apt-get update && sudo apt-get -y upgrade

Figure 1:sudo apt-get update && sudo apt-get -y upgrade

Install git packages into your ubuntu machine to clone the munin from github

Command: sudo apt-get install git

Figure 2: sudo apt-get install git

Install Pip on Ubuntu 16.04

Command: sudo apt-get install python-pip

Figure 3: sudo apt-get install python-pip

Install vim editor

This is optional if you want to use another browser like “nano” then there is no need to install “vim”

Command: apt-get install vim

Figure 4: apt-get install vim

Now from here we will start the configuration of “munin”

Download / clone the repo

Command: git clone https://github.com/Neo23x0/munin.git

Figure 5: git clone https://github.com/Neo23x0/munin.git

Install missing packages: pip install requests bs4 colorama pickle configparser future selenium

There are dependencies for installing munin, so before configuring munin we need to install the dependencies first

Error: When you try to install the all packages in a single command you notice that you got an error on “pickle” package

So, to resolve the issue we will try to install each package separately.

Figure 6: error installing pickle package

After looking at the error we found there is issue with the version of packages

So, we have upgraded the pip version.

Command: pip install –upgrade pip

Figure 7: pip install –upgrade pip

Check pip version.

Command: pip -V

Figure 8: pip -V

Install bs4/beautifulsoup4, requests, colorama packages

Command:

  • pip install beautifulsoup4

  • pip install requests

  • pip install colorama

Figure 9: Install bs4/beautifulsoup4, requests, colorama packages

We have checked the pip version, python version & imported the cPickle packages.

As “Pickle” is the default package installed in Python2.7

Figure 10: import cPickle

Install configparser, future, selenium packages

Command:

  • pip install configparser

  • pip install future

  • pip install selenium

Figure 11: Install configparser, future, selenium packages

After that install the pickle packages using below command.

Command: pip install pickle-mixin

Figure 12: pip install pickle-mixin

Set the API key for the different services in the munin.ini file

For API keys, refer “Get the API Keys used by Munin”

Command: vim munin.ini

And enter the API keys into munin.ini file

Figure 13: copy API keys into munin.ini file

Now Let’s demonstrate the sample hash file.

Below is the demo file present in the munin “munin-demo.txt”, you can view the same using command: “cat munin-demo.txt”

Figure 14: cat munin-demo.txt

Use the demo file for a first run: python munin.py -f munin-demo.txt –nocache

Now test the munin using below command.

Command: python munin.py -f munin-demo.txt –nocache

Figure 15: python munin.py -f munin-demo.txt –nocache

Figure 16: munin result

Figure 17: munin result

Figure 18: munin result

 
bottom of page