~alienagain/Stix_stuff

66ae0284d61763437a86b3a60d88142b97faa640 — terceranexus6 8 months ago 2e61e06 master
adding new versions
7 files changed, 829 insertions(+), 0 deletions(-)

R bulk_conversion/{SHA1_indicator_maker.py => v.1.1/SHA1_indicator_maker.py}
R bulk_conversion/{campaña.py => v.1.1/campaña.py}
R bulk_conversion/{hash_bundle_creator.py => v.1.1/hash_bundle_creator.py}
R bulk_conversion/{revisado.py => v.1.1/revisado.py}
A bulk_conversion/v.1.2/hashes.py
A bulk_conversion/v.1.2/networ_ioc.py
A bulk_conversion/v.1.2/specific_attack_chain.py
R bulk_conversion/SHA1_indicator_maker.py => bulk_conversion/v.1.1/SHA1_indicator_maker.py +0 -0
R bulk_conversion/campaña.py => bulk_conversion/v.1.1/campaña.py +0 -0
R bulk_conversion/hash_bundle_creator.py => bulk_conversion/v.1.1/hash_bundle_creator.py +0 -0
R bulk_conversion/revisado.py => bulk_conversion/v.1.1/revisado.py +0 -0
A bulk_conversion/v.1.2/hashes.py => bulk_conversion/v.1.2/hashes.py +350 -0
@@ 0,0 1,350 @@
from stix2 import Indicator
from stix2 import Malware
from stix2 import Relationship
from stix2 import Bundle
from stix2 import Identity
import copy

# functions

def menu():
  print("Choose an option: ")
  print("A - Enter SHA1\nB - Enter SHA256\nC - Enter SHA1 and SHA256\nD - Cancel")

def printin_bundle(mal_name, my_bundle):
    output_f = mal_name + "_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))




# creating identity for the bundle

myname = input("Name of author: ")
i_class = input("Class (organization/individual): ")

# this is custom and will onl be available with the latest version of stix :( : 
#dep = input("Department (default is Threat Hunting): ")

# Creating the identity object default


my_identity = Identity(name = myname, 
                        identity_class = i_class)
# reading malware from user prompt

mal_name = input("Malware name: ")
mal_des = input("Malware description: ")
mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")

if mal_type == "none":
    malware = Malware(name=mal_name,
                  description=mal_des,
                  is_family=False)
else:
    malware = Malware(name=mal_name,
                  description=mal_des,
                  malware_types=[mal_type],
                 #kill_chain_phases=[{
                 #                       "kill_chain_name": "testing",
                 #                       "phase_name": "Delivery"}],
                  is_family=False)

typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")

menu()
option = input("Choose your option: ")


############################################################################################################################

if option == "A": 
        
    myfile = input("file with SHA1: ")
    file1 = open(myfile, 'r')
    content = file1.readlines()
         
    count = 0



    in_name="file hash for " + mal_name

    print("Reading hashes for SHA1...")

    print("SHA1: ")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line in content:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)



    print("no more lines to read")


    num_lines = sum(1 for _ in open(myfile))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

    print("Making the bundle...\n")

    my_indicators_SHA1 = []
    my_relationships_SHA1 = []
    for j in range(num_lines):
        my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
        my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])

    my_bundle = Bundle(my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity)
    print(my_bundle.serialize(pretty=True))
    output_f = mal_name + "_SHA1_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))

####################################################################################################################################

elif option == "B":

    # getting the file with SHA256 hashes
    myfile2 = input("file with SHA256: ")
    file2 = open(myfile2, 'r')
    content2 = file2.readlines()
         
    count = 0



    in_name="file hash SHA256 for " + mal_name

    print("Reading hashes for SHA256...")
    print("SHA256: ")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line2 in content2:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)



    print("no more lines to read")


    num_lines2 = sum(1 for _ in open(myfile2))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines2):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

    print("Making the bundle...\n")

    my_indicators_SHA256 = []
    my_relationships_SHA256 = []
    for j in range(num_lines2):
        my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
        my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
        
    my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity)
    print(my_bundle.serialize(pretty=True))
    output_f = mal_name + "_SHA256_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))

#################################################################################################################################
        
elif option == "C":

    myfile = input("file with SHA1: ")
    file1 = open(myfile, 'r')
    content = file1.readlines()
         
    count = 0



    in_name="file hash for " + mal_name

    print("Reading hashes for SHA1...")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line in content:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[file:hashes.sha1 = '"+ line.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_SHA1_" + str(count)] = copy.deepcopy(tmp_indicator)



    print("no more lines to read in " + myfile)
    num_lines = sum(1 for _ in open(myfile))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_SHA1_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_SHA1_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))


    # getting the file with SHA256 hashes
    myfile2 = input("file with SHA256: ")
    file2 = open(myfile2, 'r')
    content2 = file2.readlines()
         
    count = 0



    in_name="file hash SHA256 for " + mal_name

    print("Reading hashes for SHA256...")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line2 in content2:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[file:hashes.sha256 = '"+ line2.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)

    print("no more lines to read in " + myfile2)
    num_lines2 = sum(1 for _ in open(myfile2))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines2):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

    print("Making the bundle...\n")

    my_indicators_SHA256 = []
    my_relationships_SHA256 = []

    j = 0

    for j in range(num_lines2):
        my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
        my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])

    my_indicators_SHA1 = []
    my_relationships_SHA1 = []

    j = 0

    for j in range(num_lines):
        my_indicators_SHA1.append(locals()["indicator_SHA1_" + str(j+1)])
        my_relationships_SHA1.append(locals()["relationship_SHA1_" + str(j+1)])
            
    my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:],my_indicators_SHA1[:], my_relationships_SHA1[:], malware, my_identity)
    print(my_bundle.serialize(pretty=True))
    output_f = mal_name + "_SHA1_SHA256_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))


#print("Bundle:")
print("\nBye bye!")







A bulk_conversion/v.1.2/networ_ioc.py => bulk_conversion/v.1.2/networ_ioc.py +346 -0
@@ 0,0 1,346 @@
from stix2 import Indicator
from stix2 import Malware
from stix2 import Relationship
from stix2 import Bundle
from stix2 import Identity
import copy

# functions

def menu():
  print("Choose an option: ")
  print("A - Enter URL\nB - Enter IP\nC - Enter URL and IP\nD - Cancel")

def printin_bundle(mal_name, my_bundle):
    output_f = mal_name + "_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))



# creating identity for the bundle

myname = input("Name of author: ")
i_class = input("Class (organization/individual): ")

# this is custom and will onl be available with the latest version of stix :( : 
#dep = input("Department (default is Threat Hunting): ")

# Creating the identity object default


my_identity = Identity(name = myname, 
                        identity_class = i_class)
# reading malware from user prompt

mal_name = input("Malware name: ")
mal_des = input("Malware description: ")
mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")

if mal_type == "none":
    malware = Malware(name=mal_name,
                  description=mal_des,
                  is_family=False)
else:
    malware = Malware(name=mal_name,
                  description=mal_des,
                  malware_types=[mal_type],
                 #kill_chain_phases=[{
                 #                       "kill_chain_name": "testing",
                 #                       "phase_name": "Delivery"}],
                  is_family=False)

typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")

menu()
option = input("Choose your option: ")


############################################################################################################################

if option == "A": 
        
    myfile = input("file with URL: ")
    file1 = open(myfile, 'r')
    content = file1.readlines()
         
    count = 0



    in_name="URL for " + mal_name

    print("Reading hashes for URL...")


        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line in content:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[url:value = '"+ line.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_URL_" + str(count)] = copy.deepcopy(tmp_indicator)



    print("no more lines to read")


    num_lines = sum(1 for _ in open(myfile))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_URL_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_URL_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

    print("Making the bundle...\n")

    my_indicators_URL = []
    my_relationships_URL = []
    for j in range(num_lines):
        my_indicators_URL.append(locals()["indicator_URL_" + str(j+1)])
        my_relationships_URL.append(locals()["relationship_URL_" + str(j+1)])

    my_bundle = Bundle(my_indicators_URL[:], my_relationships_URL[:], malware, my_identity)
    print(my_bundle.serialize(pretty=True))
    output_f = mal_name + "_URL_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))

####################################################################################################################################

elif option == "B":

    # getting the file with IPV4
    myfile2 = input("IP: ")
    file2 = open(myfile2, 'r')
    content2 = file2.readlines()
         
    count = 0



    in_name="IP for " + mal_name

    print("Reading hashes for IP...")
 

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line2 in content2:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[ipv4-addr:value = '"+ line2.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_IPV4_" + str(count)] = copy.deepcopy(tmp_indicator)



    print("no more lines to read")


    num_lines2 = sum(1 for _ in open(myfile2))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines2):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_IPV4_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_IPV4_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

    print("Making the bundle...\n")

    my_indicators_IPV4 = []
    my_relationships_IPV4 = []
    for j in range(num_lines2):
        my_indicators_IPV4.append(locals()["indicator_IPV4_" + str(j+1)])
        my_relationships_IPV4.append(locals()["relationship_IPV4_" + str(j+1)])
        
    my_bundle = Bundle(my_indicators_IPV4[:], my_relationships_IPV4[:], malware, my_identity)
    print(my_bundle.serialize(pretty=True))
    output_f = mal_name + "_IPV4_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))

#################################################################################################################################
        
elif option == "C":

    myfile = input("URL File: ")
    file1 = open(myfile, 'r')
    content = file1.readlines()
         
    count = 0



    in_name="URL for " + mal_name

    print("Reading hashes for URL...")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line in content:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[url:value = '"+ line.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_URL_" + str(count)] = copy.deepcopy(tmp_indicator)



    print("no more lines to read in " + myfile)
    num_lines = sum(1 for _ in open(myfile))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines):
            

            # creating the relationship with the malware
        locals()["relationship_URL_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_URL_" + str(i+1)].id,
                                    target_ref=malware.id)
            


    # getting the file with IPV4 
    myfile2 = input("file with IPV4: ")
    file2 = open(myfile2, 'r')
    content2 = file2.readlines()
         
    count = 0



    in_name="IPV4 for " + mal_name

    print("Reading hashes for IPV4...")

        # iterating the whole file, for each line it creates a temporary 
        # stix object with the sha1 hash and the malware family
        # and saves an indicator object with the content. No need to create a
        # list because the object is already stored as a permanent identifier during the session
        # although a trash-temp-indicator is also stored.

    for line2 in content2:

        tmp_indicator = Indicator(name=in_name, 
                                  pattern="[ipv4-addr:value = '"+ line2.strip()+"']",
                                  pattern_type="stix")
           # print("TEMPORARY, DEBUG:")
           # print(tmp_indicator.serialize(pretty=True))

        count = count + 1

        locals()["indicator_IPV4_" + str(count)] = copy.deepcopy(tmp_indicator)

    print("no more lines to read in " + myfile2)
    num_lines2 = sum(1 for _ in open(myfile2))

        # This prints all the indicators for the SHA1 (commented) and creates
        # a relationship for each one of them with the malware

    for i in range(num_lines2):
            #print("The indicator SHA1 is:\n")
            #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))

            # creating the relationship with the malware
        locals()["relationship_IPV4_" + str(i+1)] = Relationship(relationship_type=typer,
                                    source_ref=locals()["indicator_IPV4_" + str(i+1)].id,
                                    target_ref=malware.id)
            #print("The relationship is:\n")
            #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))

    print("Making the bundle...\n")

    my_indicators_IPV4 = []
    my_relationships_IPV4 = []

    j = 0

    for j in range(num_lines2):
        my_indicators_IPV4.append(locals()["indicator_IPV4_" + str(j+1)])
        my_relationships_IPV4.append(locals()["relationship_IPV4_" + str(j+1)])

    my_indicators_URL = []
    my_relationships_URL = []

    j = 0

    for j in range(num_lines):
        my_indicators_URL.append(locals()["indicator_URL_" + str(j+1)])
        my_relationships_URL.append(locals()["relationship_URL_" + str(j+1)])
            
    my_bundle = Bundle(my_indicators_IPV4[:], my_relationships_IPV4[:],my_indicators_URL[:], my_relationships_URL[:], malware, my_identity)
    print(my_bundle.serialize(pretty=True))
    output_f = mal_name + "_URL_IPV4_Bundle.json"
    f_o = open(output_f, "x")

    print("\nWriting the contents into " + output_f + " ...")

    f_o.write(my_bundle.serialize(pretty=True))


#print("Bundle:")
print("\nBye bye!")







A bulk_conversion/v.1.2/specific_attack_chain.py => bulk_conversion/v.1.2/specific_attack_chain.py +133 -0
@@ 0,0 1,133 @@
from stix2 import Indicator
from stix2 import Malware
from stix2 import Relationship
from stix2 import Bundle
from stix2 import Identity
from stix2 import KillChainPhase
from stix2 import CustomObject, properties
import copy



# Custom Object commented because not all MISP are capable of
# interpreting. If you uncomment, make sure your ingestor is capable of
# interpreting the x-origin object


#@CustomObject('x-origin', [
#    ('resource', properties.StringProperty(required=True)),
#    ('resource_class', properties.StringProperty())
#])

#class Origin(object):
#    def __init__(self, resource_class=None, **kwargs):
#        if resource_class and resource_class not in ['external', 'internal']:
#            raise ValueError("'%s' is not a recognized class of resource.." % resource_class)


# creating identity for the bundle

print("IDENTITY\n")


myname = input("Name of author: ")
i_class = inut("Class (organization/individual): ")

print("\n****************************************************\n")

# creating custom origin type
# this is to make it easier for the researcher to be transparent 
# about the origin and the visbility for the indicators

#print("RESOURCE/ORIGIN\n")

#r_name = input("Name of the resource: ")
#r_type = input("Type of the resource (internal/external): ")


#campaign_origin = Origin(resource=r_name,
#                    resource_class=r_type)

#print("\n****************************************************\n")



# this is custom and will onl be available with the latest version of stix :( : 
#dep = input("Department (default is Threat Hunting): ")

# Creating the identity object default


my_identity = Identity(name = myname, 
                        identity_class = "organization")
# reading malware from user prompt

print("MALWARE DEFINITION AND CAMPAIGN\n")

mal_rel = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
mal_name = input("Malware name which is related: ")
mal_des = input("Malware description: ")
mal_type = input("Malware type (f.e.: ransomware, trojan, backdoor...) write none if various types are considered: ")

name_KC = input("Name of the specific case (not the same as the phase! for example: the name of the campaign) : ")
phase_KC = input("Killchain phase (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives or other): ")

print("\n****************************************************\n")

malware = Malware(name=mal_name,
                  description=mal_des,
                  malware_types=[mal_type],
                  kill_chain_phases=[{
                                        "kill_chain_name": name_KC,
                                        "phase_name": phase_KC}],
                  is_family=True)

print("INDICATOR\n")
i_type = input("Indicator type (SHA1,SHA256,URL,IP): ")

if i_type == "SHA1":
    i_name = input("Name of the indicator: ")
    i_hash = input("Hash of the indicator: ")
    indicator = Indicator(name=i_name,
                      pattern="[file:hashes.sha1 = '" + i_hash +"']",
                      pattern_type="stix")
elif i_type == "SHA256":
    i_name = input("Name of the indicator: ")
    i_hash = input("Hash of the indicator: ")
    indicator = Indicator(name=i_name,
                      pattern="[file:hashes.sha256 = '" + i_hash +"']",
                      pattern_type="stix")
else:
        print("INDICATOR TYPE NOT RECOGNISED")

print("\n****************************************************\n")

myrelation = Relationship(relationship_type=mal_rel,
                                    source_ref=indicator.id,
                                    target_ref=malware.id)


print("\nDONE: Creating bundle with the information...")

mybundle = Bundle(indicator, malware, myrelation, my_identity)#, campaign_origin)
print(mybundle.serialize(pretty=True))

output_f = mal_name + "_" + phase_KC + "_Bundle.json"
f_o = open(output_f, "x")

print("\nWriting the contents into " + output_f + " ...")

f_o.write(mybundle.serialize(pretty=True))
print("Done! Bye bye! :)")