R bulk_conversion/SHA1_indicator_maker.py => bulk_conversion/v.1.1/SHA1_indicator_maker.py +0 -0
R bulk_conversion/campaña.py => bulk_conversion/v.1.1/campaña.py +0 -0
R bulk_conversion/hash_bundle_creator.py => bulk_conversion/v.1.1/hash_bundle_creator.py +0 -0
R bulk_conversion/revisado.py => bulk_conversion/v.1.1/revisado.py +0 -0
A bulk_conversion/v.1.2/hashes.py => bulk_conversion/v.1.2/hashes.py +350 -0
@@ 0,0 1,350 @@
+from stix2 import Indicator
+from stix2 import Malware
+from stix2 import Relationship
+from stix2 import Bundle
+from stix2 import Identity
+import copy
+
+# functions
+
+def menu():
+ print("Choose an option: ")
+ print("A - Enter SHA1\nB - Enter SHA256\nC - Enter SHA1 and SHA256\nD - Cancel")
+
+def printin_bundle(mal_name, my_bundle):
+ output_f = mal_name + "_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+
+
+# creating identity for the bundle
+
+myname = input("Name of author: ")
+i_class = input("Class (organization/individual): ")
+
+# this is custom and will onl be available with the latest version of stix :( :
+#dep = input("Department (default is Threat Hunting): ")
+
+# Creating the identity object default
+
+
+my_identity = Identity(name = myname,
+ identity_class = i_class)
+# reading malware from user prompt
+
+mal_name = input("Malware name: ")
+mal_des = input("Malware description: ")
+mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")
+
+if mal_type == "none":
+ malware = Malware(name=mal_name,
+ description=mal_des,
+ is_family=False)
+else:
+ malware = Malware(name=mal_name,
+ description=mal_des,
+ malware_types=[mal_type],
+ #kill_chain_phases=[{
+ # "kill_chain_name": "testing",
+ # "phase_name": "Delivery"}],
+ is_family=False)
+
+typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
+
+menu()
+option = input("Choose your option: ")
+
+
+############################################################################################################################
+
+if option == "A":
+
+ myfile = input("file with SHA1: ")
+ file1 = open(myfile, 'r')
+ content = file1.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash for " + mal_name
+
+ print("Reading hashes for SHA1...")
+
+ print("SHA1: ")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line in content:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read")
+
+
+ num_lines = sum(1 for _ in open(myfile))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_SHA1 = []
+ my_relationships_SHA1 = []
+ for j in range(num_lines):
+ my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
+ my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_SHA1_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+####################################################################################################################################
+
+elif option == "B":
+
+ # getting the file with SHA256 hashes
+ myfile2 = input("file with SHA256: ")
+ file2 = open(myfile2, 'r')
+ content2 = file2.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash SHA256 for " + mal_name
+
+ print("Reading hashes for SHA256...")
+ print("SHA256: ")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line2 in content2:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read")
+
+
+ num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_SHA256 = []
+ my_relationships_SHA256 = []
+ for j in range(num_lines2):
+ my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
+ my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_SHA256_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+#################################################################################################################################
+
+elif option == "C":
+
+ myfile = input("file with SHA1: ")
+ file1 = open(myfile, 'r')
+ content = file1.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash for " + mal_name
+
+ print("Reading hashes for SHA1...")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line in content:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read in " + myfile)
+ num_lines = sum(1 for _ in open(myfile))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+
+ # getting the file with SHA256 hashes
+ myfile2 = input("file with SHA256: ")
+ file2 = open(myfile2, 'r')
+ content2 = file2.readlines()
+
+ count = 0
+
+
+
+ in_name="file hash SHA256 for " + mal_name
+
+ print("Reading hashes for SHA256...")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line2 in content2:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+ print("no more lines to read in " + myfile2)
+ num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_SHA256 = []
+ my_relationships_SHA256 = []
+
+ j = 0
+
+ for j in range(num_lines2):
+ my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
+ my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
+
+ my_indicators_SHA1 = []
+ my_relationships_SHA1 = []
+
+ j = 0
+
+ for j in range(num_lines):
+ my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
+ my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:],my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_SHA1_SHA256_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+#print("Bundle:")
+print("\nBye bye!")
+
+
+
+
+
+
A bulk_conversion/v.1.2/networ_ioc.py => bulk_conversion/v.1.2/networ_ioc.py +346 -0
@@ 0,0 1,346 @@
+from stix2 import Indicator
+from stix2 import Malware
+from stix2 import Relationship
+from stix2 import Bundle
+from stix2 import Identity
+import copy
+
+# functions
+
+def menu():
+ print("Choose an option: ")
+ print("A - Enter URL\nB - Enter IP\nC - Enter URL and IP\nD - Cancel")
+
+def printin_bundle(mal_name, my_bundle):
+ output_f = mal_name + "_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+
+# creating identity for the bundle
+
+myname = input("Name of author: ")
+i_class = input("Class (organization/individual): ")
+
+# this is custom and will onl be available with the latest version of stix :( :
+#dep = input("Department (default is Threat Hunting): ")
+
+# Creating the identity object default
+
+
+my_identity = Identity(name = myname,
+ identity_class = i_class)
+# reading malware from user prompt
+
+mal_name = input("Malware name: ")
+mal_des = input("Malware description: ")
+mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")
+
+if mal_type == "none":
+ malware = Malware(name=mal_name,
+ description=mal_des,
+ is_family=False)
+else:
+ malware = Malware(name=mal_name,
+ description=mal_des,
+ malware_types=[mal_type],
+ #kill_chain_phases=[{
+ # "kill_chain_name": "testing",
+ # "phase_name": "Delivery"}],
+ is_family=False)
+
+typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
+
+menu()
+option = input("Choose your option: ")
+
+
+############################################################################################################################
+
+if option == "A":
+
+ myfile = input("file with URL: ")
+ file1 = open(myfile, 'r')
+ content = file1.readlines()
+
+ count = 0
+
+
+
+ in_name="URL for " + mal_name
+
+ print("Reading hashes for URL...")
+
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line in content:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[url:value = '"+ line.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_URL_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read")
+
+
+ num_lines = sum(1 for _ in open(myfile))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_URL_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_URL_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_URL = []
+ my_relationships_URL = []
+ for j in range(num_lines):
+ my_indicators_URL.append(locals()["indicator_URL_" + str(j+1)])
+ my_relationships_URL.append(locals()["relationship_URL_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_URL[:], my_relationships_URL[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_URL_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+####################################################################################################################################
+
+elif option == "B":
+
+ # getting the file with IPV4
+ myfile2 = input("IP: ")
+ file2 = open(myfile2, 'r')
+ content2 = file2.readlines()
+
+ count = 0
+
+
+
+ in_name="IP for " + mal_name
+
+ print("Reading hashes for IP...")
+
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line2 in content2:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[ipv4-addr:value = '"+ line2.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_IPV4_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read")
+
+
+ num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_IPV4_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_IPV4_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_IPV4 = []
+ my_relationships_IPV4 = []
+ for j in range(num_lines2):
+ my_indicators_IPV4.append(locals()["indicator_IPV4_" + str(j+1)])
+ my_relationships_IPV4.append(locals()["relationship_IPV4_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_IPV4[:], my_relationships_IPV4[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_IPV4_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+#################################################################################################################################
+
+elif option == "C":
+
+ myfile = input("URL File: ")
+ file1 = open(myfile, 'r')
+ content = file1.readlines()
+
+ count = 0
+
+
+
+ in_name="URL for " + mal_name
+
+ print("Reading hashes for URL...")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line in content:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[url:value = '"+ line.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_URL_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+ print("no more lines to read in " + myfile)
+ num_lines = sum(1 for _ in open(myfile))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines):
+
+
+ # creating the relationship with the malware
+ locals()["relationship_URL_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_URL_" + str(i+1)].id,
+ target_ref=malware.id)
+
+
+
+ # getting the file with IPV4
+ myfile2 = input("file with IPV4: ")
+ file2 = open(myfile2, 'r')
+ content2 = file2.readlines()
+
+ count = 0
+
+
+
+ in_name="IPV4 for " + mal_name
+
+ print("Reading hashes for IPV4...")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+ for line2 in content2:
+
+ tmp_indicator = Indicator(name=in_name,
+ pattern="[ipv4-addr:value = '"+ line2.strip()+"']",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_IPV4_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+ print("no more lines to read in " + myfile2)
+ num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+ for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_IPV4_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_IPV4_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ print("Making the bundle...\n")
+
+ my_indicators_IPV4 = []
+ my_relationships_IPV4 = []
+
+ j = 0
+
+ for j in range(num_lines2):
+ my_indicators_IPV4.append(locals()["indicator_IPV4_" + str(j+1)])
+ my_relationships_IPV4.append(locals()["relationship_IPV4_" + str(j+1)])
+
+ my_indicators_URL = []
+ my_relationships_URL = []
+
+ j = 0
+
+ for j in range(num_lines):
+ my_indicators_URL.append(locals()["indicator_URL_" + str(j+1)])
+ my_relationships_URL.append(locals()["relationship_URL_" + str(j+1)])
+
+ my_bundle = Bundle(my_indicators_IPV4[:], my_relationships_IPV4[:],my_indicators_URL[:], my_relationships_URL[:], malware, my_identity)
+ print(my_bundle.serialize(pretty=True))
+ output_f = mal_name + "_URL_IPV4_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+#print("Bundle:")
+print("\nBye bye!")
+
+
+
+
+
+
A bulk_conversion/v.1.2/specific_attack_chain.py => bulk_conversion/v.1.2/specific_attack_chain.py +133 -0
@@ 0,0 1,133 @@
+from stix2 import Indicator
+from stix2 import Malware
+from stix2 import Relationship
+from stix2 import Bundle
+from stix2 import Identity
+from stix2 import KillChainPhase
+from stix2 import CustomObject, properties
+import copy
+
+
+
+# Custom Object commented because not all MISP are capable of
+# interpreting. If you uncomment, make sure your ingestor is capable of
+# interpreting the x-origin object
+
+
+#@CustomObject('x-origin', [
+# ('resource', properties.StringProperty(required=True)),
+# ('resource_class', properties.StringProperty())
+#])
+
+#class Origin(object):
+# def __init__(self, resource_class=None, **kwargs):
+# if resource_class and resource_class not in ['external', 'internal']:
+# raise ValueError("'%s' is not a recognized class of resource.." % resource_class)
+
+
+# creating identity for the bundle
+
+print("IDENTITY\n")
+
+
+myname = input("Name of author: ")
+i_class = inut("Class (organization/individual): ")
+
+print("\n****************************************************\n")
+
+# creating custom origin type
+# this is to make it easier for the researcher to be transparent
+# about the origin and the visbility for the indicators
+
+#print("RESOURCE/ORIGIN\n")
+
+#r_name = input("Name of the resource: ")
+#r_type = input("Type of the resource (internal/external): ")
+
+
+#campaign_origin = Origin(resource=r_name,
+# resource_class=r_type)
+
+#print("\n****************************************************\n")
+
+
+
+# this is custom and will onl be available with the latest version of stix :( :
+#dep = input("Department (default is Threat Hunting): ")
+
+# Creating the identity object default
+
+
+my_identity = Identity(name = myname,
+ identity_class = "organization")
+# reading malware from user prompt
+
+print("MALWARE DEFINITION AND CAMPAIGN\n")
+
+mal_rel = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
+mal_name = input("Malware name which is related: ")
+mal_des = input("Malware description: ")
+mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")
+
+name_KC = input("Name of the specific case (not the same as the phase! for example: the name of the campaign) : ")
+phase_KC = input("Killchain phase (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives or other): ")
+
+print("\n****************************************************\n")
+
+malware = Malware(name=mal_name,
+ description=mal_des,
+ malware_types=[mal_type],
+ kill_chain_phases=[{
+ "kill_chain_name": name_KC,
+ "phase_name": phase_KC}],
+ is_family=True)
+
+print("INDICATOR\n")
+i_type = input("Indicator type (SHA1,SHA256,URL,IP): ")
+
+if i_type == "SHA1":
+ i_name = input("Name of the indicator: ")
+ i_hash = input("Hash of the indicator: ")
+ indicator = Indicator(name=i_name,
+ pattern="[file:hashes.sha1 = '" + i_hash +"']",
+ pattern_type="stix")
+elif i_type == "SHA256":
+ i_name = input("Name of the indicator: ")
+ i_hash = input("Hash of the indicator: ")
+ indicator = Indicator(name=i_name,
+ pattern="[file:hashes.sha256 = '" + i_hash +"']",
+ pattern_type="stix")
+else:
+ print("INDICATOR TYPE NOT RECOGNISED")
+
+print("\n****************************************************\n")
+
+myrelation = Relationship(relationship_type=mal_rel,
+ source_ref=indicator.id,
+ target_ref=malware.id)
+
+
+print("\nDONE: Creating bundle with the information...")
+
+mybundle = Bundle(indicator, malware, myrelation, my_identity)#, campaign_origin)
+print(mybundle.serialize(pretty=True))
+
+output_f = mal_name + "_" + phase_KC + "_Bundle.json"
+f_o = open(output_f, "x")
+
+print("\nWriting the contents into " + output_f + " ...")
+
+f_o.write(mybundle.serialize(pretty=True))
+print("Done! Bye bye! :)")
+
+
+
+
+
+
+
+
+
+
+
+