Munin Configuration Guide

What is Munin

Munin is online hash checker utility that retrieves valuable information from various online sources

The current version of Munin queries the following services:

• Virustotal

• Malshare

• HybridAnalysis

Note: Munin is based on the script "VT-Checker", which has been maintained in the LOKI repository

Features:-

• MODE A: Extracts hashes from any text file based on regular expressions

• MODE B: Walks sample directory and checks hashes online

• Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)

• Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file

• Creates CSV file with the findings for easy post-processing and reporting

• Appends results to a previous CSV if available

Usage:-

usage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder]

[--nocache] [--nocsv] [--debug]

Online Hash Checker

optional arguments:

-h, --help show this help message and exit

-f path File to process (hash line by line OR csv with hash in

each line - auto-detects position and comment)

-c cache-db Name of the cache database file (default: vt-hash-db.pkl)

-i ini-file Name of the ini file that holds the API keys

-s sample-folder Folder with samples to process

--nocache Do not use cache database file

--nocsv Do not write a CSV with the results

--debug Debug output

Displays

• Hash and comment (comment is the rest of the line of which the hash has been extracted)

• AV vendor matches based on a user defined list

• Filenames used in the wild

• PE information like the description, the original file name and the copyright statement

• Signer of a signed portable executable

• Result based on Virustotal ratio

• First and last submission

• Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks

• Queries Malshare.com for sample uploads

• Queries Hybrid-Analysis.com for present analysis

• Imphash duplicates in current batch > allows you to spot overlaps in import table hashes

Get the API Keys used by Munin

Virustotal

• Create an account here https://www.virustotal.com/#/join-us

• Check Profile > My API key for your public API key

Malshare

• Register here https://malshare.com/register.php

Hybrid Analysis

• Create an account here https://www.hybrid-analysis.com/signup

• After login, check Profile > API key

Getting started

System Requirement

• Install 64-bit Ubuntu 16.04

• RAM 2 GB

Install the required packages in your Ubuntu System

Please follow below process to install required packages on your Ubuntu system.

Update & Upgrade Ubuntu

Command: sudo apt-get update && sudo apt-get -y upgrade

Figure 1:sudo apt-get update && sudo apt-get -y upgrade

Install git packages into your ubuntu machine to clone the munin from github

Command: sudo apt-get install git

Figure 2: sudo apt-get install git

Install Pip on Ubuntu 16.04

Command: sudo apt-get install python-pip

Figure 3: sudo apt-get install python-pip

Install vim editor

This is optional if you want to use another browser like “nano” then there is no need to install “vim”

Command: apt-get install vim

Figure 4: apt-get install vim

Now from here we will start the configuration of “munin”

Download / clone the repo

Command: git clone https://github.com/Neo23x0/munin.git

Figure 5: git clone https://github.com/Neo23x0/munin.git

Install missing packages: pip install requests bs4 colorama pickle configparser future selenium

There are dependencies for installing munin, so before configuring munin we need to install the dependencies first

Error: When you try to install the all packages in a single command you notice that you got an error on “pickle” package

So, to resolve the issue we will try to install each package separately.

Figure 6: error installing pickle package

After looking at the error we found there is issue with the version of packages

So, we have upgraded the pip version.

Command: pip install –upgrade pip

Figure 7: pip install –upgrade pip

Check pip version.

Command: pip -V

Figure 8: pip -V

Install bs4/beautifulsoup4, requests, colorama packages

Command:

• pip install beautifulsoup4

• pip install requests

• pip install colorama

Figure 9: Install bs4/beautifulsoup4, requests, colorama packages

We have checked the pip version, python version & imported the cPickle packages.

As “Pickle” is the default package installed in Python2.7

Figure 10: import cPickle

Install configparser, future, selenium packages

Command:

• pip install configparser

• pip install future

• pip install selenium

Figure 11: Install configparser, future, selenium packages

After that install the pickle packages using below command.

Command: pip install pickle-mixin

Figure 12: pip install pickle-mixin

Set the API key for the different services in the munin.ini file

For API keys, refer “Get the API Keys used by Munin”

Command: vim munin.ini

And enter the API keys into munin.ini file

Figure 13: copy API keys into munin.ini file

Now Let’s demonstrate the sample hash file.

Below is the demo file present in the munin “munin-demo.txt”, you can view the same using command: “cat munin-demo.txt”

Figure 14: cat munin-demo.txt

Use the demo file for a first run: python munin.py -f munin-demo.txt –nocache

Now test the munin using below command.

Command: python munin.py -f munin-demo.txt –nocache

Figure 15: python munin.py -f munin-demo.txt –nocache

Figure 16: munin result

Figure 17: munin result

Figure 18: munin result