diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
index b17e114..4bd7d19 100644
--- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
+++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
@@ -2,6 +2,7 @@
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
+ + [ArtraDownloader](#ArtraDownloader)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
@@ -13,11 +14,27 @@
## Malware-analysis
### Initial vector
-###### Use a document with a remote template injection as initial vector. This download the
+###### Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL.
-
+###### This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit.
+
+###### This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it.
+
+###### Here we can see the redirection and the data sended on the victim.
+
+### ArtraDownloader
+###### In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor.
+
+###### In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char.
+
+###### We can edit a script for decode the encoded string.
+
+###### Now we can see the actions did by the malware.
+
+
### Cyber kill chain
###### This process graph represents the cyber kill chain of Bitter sample.
+
### Cyber Threat Intel
## References MITRE ATT&CK Matrix