@@ 0,0 1,190 @@
+from stix2 import Indicator
+from stix2 import Malware
+from stix2 import Relationship
+from stix2 import Bundle
+from stix2 import Identity
+from stix2 import ThreatActor
+
+import argparse
+import copy
+
+# functions
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-n', '--name', help='name of the malware')
+parser.add_argument('-d', '--des', help='description of the malware')
+parser.add_argument('-r', '--rel', help='relation of the ioc with the malware')
+parser.add_argument('-f', '--file', help='name of the file with malware hashes')
+
+args = parser.parse_args()
+
+
+def printin_bundle(mal_name, my_bundle):
+ output_f = mal_name + "_Bundle.json"
+ f_o = open(output_f, "x")
+
+ print("\nWriting the contents into " + output_f + " ...")
+
+ f_o.write(my_bundle.serialize(pretty=True))
+
+
+
+
+# creating identity for the bundle
+
+myname = "<MY IDENTITY NAME>" #input("Name of author: ")
+#i_class = "organization"
+
+# this is custom and will onl be available with the latest version of stix :( :
+#dep = input("Department (default is Threat Hunting): ")
+
+# Creating the identity object default
+
+############################IDENTITY####################################
+
+
+my_identity = Identity(name = myname, identity_class = i_class)
+# reading malware from user prompt
+
+#TA_name = input("THEAR ACTOR name: ")
+#TA_des = input("THREAT ACTOR description: ")
+
+
+#TA_type = input("nation-state/: ")
+
+#if mal_type == "none":
+# malware = Malware(name=mal_name,
+# description=mal_des,
+# is_family=False)
+#else:
+# malware = Malware(name=mal_name,
+# description=mal_des,
+# malware_types=[mal_type],
+ #kill_chain_phases=[{
+ # "kill_chain_name": "testing",
+ # "phase_name": "Delivery"}],
+# is_family=False)
+
+
+############################3THREAT ACTOR################################
+
+
+#threatactor = ThreatActor(name=TA_name,description=TA_des)
+#print("Threat actor defined")
+
+
+
+#############################MALWARE#####################################
+
+print("Please indicate the malware details:")
+
+#MA_name = input("MALWARE NAME: ")
+MA_name = args.name
+
+#MA_des = input("MALWARE DESCRIPTION: ")
+MA_des = args.des
+
+#MA_type = input("MALWARE TYPE: ")
+
+malware = Malware(name=MA_name, description=MA_des,is_family=False)
+#else:
+# malware = Malware(name=MA_name,
+# description=MA_des,
+# malware_types=[mal_type],
+ #kill_chain_phases=[{
+ # "kill_chain_name": "testing",
+ # "phase_name": "Delivery"}],
+# is_family=False)
+
+#typer = input("Relationship type between the malware and the hashes (uses, consists-of, indicates, analysis_of, controls, derived-from, mitigates, delivers): ")
+typer = args.rel
+
+#menu()
+#option = input("Choose your option: ")
+
+
+
+########################################################################
+########################################################################
+
+
+ # getting the file with SHA256 hashes
+#myfile2 = input("file with SHA256: ")
+myfile2 = args.file
+
+file2 = open(myfile2, 'r')
+content2 = file2.readlines()
+
+count = 0
+
+
+#MARCADOR
+in_name="file hash SHA256 for " + MA_name
+
+print("Reading hashes for SHA256...")
+#print("SHA256: ")
+
+ # iterating the whole file, for each line it creates a temporary
+ # stix object with the sha1 hash and the malware family
+ # and saves an indicator object with the content. No need to create a
+ # list because the object is already stored as a permanent identifier during the session
+ # although a trash-temp-indicator is also stored.
+
+for line2 in content2:
+ #MARCADOR
+ tmp_indicator = Indicator(name=line2.strip(),
+ pattern="[file:name = '"+ MA_name +"' AND file:hashes.'sha256' = '"+ line2.strip()+"']",
+ spec_version="2.1",
+ pattern_type="stix")
+ # print("TEMPORARY, DEBUG:")
+ # print(tmp_indicator.serialize(pretty=True))
+
+ count = count + 1
+
+ locals()["indicator_SHA256_" + str(count)] = copy.deepcopy(tmp_indicator)
+
+
+
+print("no more lines to read")
+
+
+num_lines2 = sum(1 for _ in open(myfile2))
+
+ # This prints all the indicators for the SHA1 (commented) and creates
+ # a relationship for each one of them with the malware
+
+for i in range(num_lines2):
+ #print("The indicator SHA1 is:\n")
+ #print(locals()["indicator_SHA1_" + str(i+1)].serialize(pretty=True))
+
+ # creating the relationship with the malware
+ locals()["relationship_SHA256_" + str(i+1)] = Relationship(relationship_type=typer,
+ source_ref=locals()["indicator_SHA256_" + str(i+1)].id,
+ target_ref=malware.id)
+ #print("The relationship is:\n")
+ #print(locals()["relationship_SHA1_" + str(i+1)].serialize(pretty=True))
+
+print("Making the bundle...\n")
+
+my_indicators_SHA256 = []
+my_relationships_SHA256 = []
+
+for j in range(num_lines2):
+ my_indicators_SHA256.append(locals()["indicator_SHA256_" + str(j+1)])
+ my_relationships_SHA256.append(locals()["relationship_SHA256_" + str(j+1)])
+
+my_bundle = Bundle(my_indicators_SHA256[:], my_relationships_SHA256[:], malware, my_identity)
+print(my_bundle.serialize(pretty=True))
+output_f = MA_name + "_SHA256_Bundle.json"
+f_o = open(output_f, "x")
+
+print("\nWriting the contents into " + output_f + " ...")
+
+f_o.write(my_bundle.serialize(pretty=True))
+
+
+
+#print("Bundle:")
+print("\nBye bye!")
+
+