From d274bf17002723288e3f592cfd1f751a4ff0df1d Mon Sep 17 00:00:00 2001 From: terceranexus6 Date: Thu, 1 Jun 2023 14:18:14 +0200 Subject: [PATCH] added logics so to know which bundle shall be created depending on the options chosen --- bulk_conversion/hash_bundle_creator.py | 270 ++++++++++++++++--------- 1 file changed, 178 insertions(+), 92 deletions(-) diff --git a/bulk_conversion/hash_bundle_creator.py b/bulk_conversion/hash_bundle_creator.py index 40152b0..d85e785 100644 --- a/bulk_conversion/hash_bundle_creator.py +++ b/bulk_conversion/hash_bundle_creator.py @@ -5,6 +5,14 @@ from stix2 import Bundle from stix2 import Identity import copy +# functions + +def menu(): + print("Choose an option: ") + print("A - Enter SHA1\nB - Enter SHA256\nC - Finish") + + + # creating identity for the bundle @@ -27,148 +35,226 @@ malware = Malware(name=mal_name, description=mal_des, is_family=True) -# getting the file with SHA1 hashes -myfile = input("file with SHA1: ") -file1 = open(myfile, 'r') -content = file1.readlines() - -count = 0 +menu() +option = input("Choose your option: ") + +bundle_option = 1 + + +while option != "C": + + # cleaning + num_lines=0 + j=0 + if option == "A": + # fix TODO: this is an emergency measure to save time + # choosing the bundle generation, this will make bundle option + # odd always + bundle_option = bundle_option + 2 + trick = bundle_option%2 + if trick == 0: + bundle_option = bundle_option + 1 -in_name="file hash for " + mal_name + # getting the file with SHA1 hashes + myfile = input("file with SHA1: ") + file1 = open(myfile, 'r') + content = file1.readlines() + + count = 0 -print("Reading hashes for SHA1...") -print("SHA1: ") -# iterating the whole file, for each line it creates a temporary -# stix object with the sha1 hash and the malware family -# and saves an indicator object with the content. No need to create a -# list because the object is already stored as a permanent identifier during the session -# although a trash-temp-indicator is also stored. + in_name="file hash for " + mal_name -for line in content: + print("Reading hashes for SHA1...") - tmp_indicator = Indicator(name=in_name, - pattern="[file:hashes.sha1 = '"+ line.strip()+"']", - pattern_type="stix") - # print("TEMPORARY, DEBUG:") - # print(tmp_indicator.serialize(pretty=True)) + print("SHA1: ") - count = count + 1 + # iterating the whole file, for each line it creates a temporary + # stix object with the sha1 hash and the malware family + # and saves an indicator object with the content. No need to create a + # list because the object is already stored as a permanent identifier during the session + # although a trash-temp-indicator is also stored. - locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator) + for line in content: + tmp_indicator = Indicator(name=in_name, + pattern="[file:hashes.sha1 = '"+ line.strip()+"']", + pattern_type="stix") + # print("TEMPORARY, DEBUG:") + # print(tmp_indicator.serialize(pretty=True)) + count = count + 1 -print("no more lines to read") + locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator) -num_lines = sum(1 for _ in open(myfile)) -# This prints all the indicators for the SHA1 (commented) and creates -# a relationship for each one of them with the malware + print("no more lines to read") -for i in range(num_lines): - #print("The indicator SHA1 is:\n") - #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True)) - # creating the relationship with the malware - locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type='indicates', - source_ref=locals()["indicator_SHA1_" + str(i+1)].id, - target_ref=malware.id) - #print("The relationship is:\n") - #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True)) + num_lines = sum(1 for _ in open(myfile)) -print("DONE\n") + # This prints all the indicators for the SHA1 (commented) and creates + # a relationship for each one of them with the malware -# cleaning -num_lines=0 -j=0 + for i in range(num_lines): + #print("The indicator SHA1 is:\n") + #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True)) -# getting the file with SHA256 hashes -myfile2 = input("file with SHA256: ") -file2 = open(myfile2, 'r') -content2 = file2.readlines() - -count = 0 + # creating the relationship with the malware + locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type='indicates', + source_ref=locals()["indicator_SHA1_" + str(i+1)].id, + target_ref=malware.id) + #print("The relationship is:\n") + #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True)) + print("DONE\n") + menu() + option = input("Choose your option: ") -in_name="file hash SHA256 for " + mal_name + elif option == "B": + # this will make bindle option even always + bundle_option = bundle_option * 2 -print("Reading hashes for SHA256...") + # getting the file with SHA256 hashes + myfile2 = input("file with SHA256: ") + file2 = open(myfile2, 'r') + content2 = file2.readlines() + + count = 0 -print("SHA256: ") -# iterating the whole file, for each line it creates a temporary -# stix object with the sha1 hash and the malware family -# and saves an indicator object with the content. No need to create a -# list because the object is already stored as a permanent identifier during the session -# although a trash-temp-indicator is also stored. -for line2 in content2: + in_name="file hash SHA256 for " + mal_name - tmp_indicator = Indicator(name=in_name, - pattern="[file:hashes.sha256 = '"+ line2.strip()+"']", - pattern_type="stix") - # print("TEMPORARY, DEBUG:") - # print(tmp_indicator.serialize(pretty=True)) + print("Reading hashes for SHA256...") - count = count + 1 + print("SHA256: ") - locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator) + # iterating the whole file, for each line it creates a temporary + # stix object with the sha1 hash and the malware family + # and saves an indicator object with the content. No need to create a + # list because the object is already stored as a permanent identifier during the session + # although a trash-temp-indicator is also stored. + for line2 in content2: + tmp_indicator = Indicator(name=in_name, + pattern="[file:hashes.sha256 = '"+ line2.strip()+"']", + pattern_type="stix") + # print("TEMPORARY, DEBUG:") + # print(tmp_indicator.serialize(pretty=True)) -print("no more lines to read") + count = count + 1 + locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator) -num_lines = sum(1 for _ in open(myfile)) -# This prints all the indicators for the SHA1 (commented) and creates -# a relationship for each one of them with the malware -for i in range(num_lines): - #print("The indicator SHA1 is:\n") - #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True)) + print("no more lines to read") - # creating the relationship with the malware - locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type='indicates', - source_ref=locals()["indicator_SHA256_" + str(i+1)].id, - target_ref=malware.id) - #print("The relationship is:\n") - #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True)) -print("DONE\n") + num_lines2 = sum(1 for _ in open(myfile2)) + + # This prints all the indicators for the SHA1 (commented) and creates + # a relationship for each one of them with the malware + + for i in range(num_lines2): + #print("The indicator SHA1 is:\n") + #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True)) + + # creating the relationship with the malware + locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type='indicates', + source_ref=locals()["indicator_SHA256_" + str(i+1)].id, + target_ref=malware.id) + #print("The relationship is:\n") + #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True)) + + print("DONE\n") + + menu() + option = input("Choose your option: ") print("creating the bundle...") -# create lists for the objects above -my_indicators_SHA1 = [] -my_relationships_SHA1 = [] -my_indicators_SHA256 = [] -my_relationships_SHA256 = [] -for j in range(num_lines): - my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)]) - my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)]) - my_indicators_SHA1.append(locals()["indicator_SHA256_" + str(j+1)]) - my_relationships_SHA1.append(locals()["relationship_SHA256_" + str(j+1)]) -# creating a bundle of objects: indicators, relationships, malware -my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity) +# creating a bundle based on the options selected above + +final_trick=bundle_option%2 + +# debug +print("final_trick = " + str(final_trick)) +print("bundle_option = " + str(bundle_option)) + +DEBUG=input("DEBUG") + + +if final_trick == 1: + if bundle_option == 3: + my_indicators_SHA1 = [] + my_relationships_SHA1 = [] + for j in range(num_lines): + my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)]) + my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)]) + my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity) + print(my_bundle.serialize(pretty=True)) + + else: + my_indicators_SHA1 = [] + my_relationships_SHA1 = [] + my_indicators_SHA256 = [] + my_relationships_SHA256 = [] + for j in range(num_lines): + my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)]) + my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)]) + for j in range(num_lines2): + my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)]) + my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)]) + my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity) + print(my_bundle.serialize(pretty=True)) + + + +elif final_trick == 0: + if bundle_option == 2: + my_indicators_SHA256 = [] + my_relationships_SHA256 = [] + for j in range(num_lines2): + my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)]) + my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)]) + + my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity) + print(my_bundle.serialize(pretty=True)) + else: + my_indicators_SHA1 = [] + my_relationships_SHA1 = [] + my_indicators_SHA256 = [] + my_relationships_SHA256 = [] + for j in range(num_lines): + my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)]) + my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)]) + for j in range(num_lines2): + my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)]) + my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)]) + + my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity) + print(my_bundle.serialize(pretty=True)) + +else: + print("ERROR: No hash was detected to be chosen. Exiting without creating the bundle...") #print("Bundle:") -print("\nDone!") -print(my_bundle.serialize(pretty=True)) +print("\nBye bye!") + output_f = mal_name + "_Bundle.json" f_o = open(output_f, "x") print("\nWriting the contents into " + output_f + " ...") -f_o.write(my_bundle.serialize(pretty=True)) - -print("\nDone! enjoy") \ No newline at end of file +f_o.write(my_bundle.serialize(pretty=True)) \ No newline at end of file -- 2.45.2