From c23cd7aa47a1b4eee48cbaa8ff393edb83003c2a Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Mon, 2 Sep 2019 00:23:13 +0200
Subject: [PATCH] Update Malware analysis 31-08-19.md
---
.../Bitter/27-08-19/Malware analysis 31-08-19.md | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
index 9dd3530..2284173 100644
--- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
+++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
@@ -61,8 +61,19 @@
###### This process graph represents the cyber kill chain of Bitter sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "")
-### Cyber Threat Intel
+## Cyber Threat Intel
+###### Since the last 2 weeks, the C2 domain have changed (.193 to .198) due to this are on the same subnet of the Verdina organization (Bulgaria cloud provider).
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/IPloc.jpg "")
+###### We can note on the WHOIS information that this registered in Ras al-khaimah location.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/infowhois.png "")
+
+###### The location is placed in the business place of the city.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/loc.png "")
+###### We can note that two phone numbers with the country indicate (Indian and Iranian) have the same address for two companies.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/mat1.PNG "")
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/mat2.PNG "")
+###### In Ras al-Khaimah, there is no corporate tax, no profits, no customs duties, no inheritance tax, it is not excluding that the group Bitter chose this place as a tax haven for their operations.
## References MITRE ATT&CK Matrix
###### List of all the references with MITRE ATT&CK Matrix
@@ -100,3 +111,5 @@
+ [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff)
* Docs :
+ [Bitter Analysis by Unit42](https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/)
+ + [Tool for decoding the encoded strings of ArtraDownloader](https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/offshore%20APT%20organization/Bitter/27-08-19/decrypt)
+ + [YARA_Rule_Bitter_Variant1_August_2019](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/Bitter/27-08-19/YARA_Rule_Bitter_Variant1_August_2019.txt)