From c23cd7aa47a1b4eee48cbaa8ff393edb83003c2a Mon Sep 17 00:00:00 2001 From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com> Date: Mon, 2 Sep 2019 00:23:13 +0200 Subject: [PATCH] Update Malware analysis 31-08-19.md --- .../Bitter/27-08-19/Malware analysis 31-08-19.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md index 9dd3530..2284173 100644 --- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md +++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md @@ -61,8 +61,19 @@ ###### This process graph represents the cyber kill chain of Bitter sample. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "") -### Cyber Threat Intel +## Cyber Threat Intel +###### Since the last 2 weeks, the C2 domain have changed (.193 to .198) due to this are on the same subnet of the Verdina organization (Bulgaria cloud provider). +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/IPloc.jpg "") +###### We can note on the WHOIS information that this registered in Ras al-khaimah location. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/infowhois.png "") + +###### The location is placed in the business place of the city. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/loc.png "") +###### We can note that two phone numbers with the country indicate (Indian and Iranian) have the same address for two companies. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/mat1.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/mat2.PNG "") +###### In Ras al-Khaimah, there is no corporate tax, no profits, no customs duties, no inheritance tax, it is not excluding that the group Bitter chose this place as a tax haven for their operations. ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix @@ -100,3 +111,5 @@ + [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff) * Docs : + [Bitter Analysis by Unit42](https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/) + + [Tool for decoding the encoded strings of ArtraDownloader](https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/offshore%20APT%20organization/Bitter/27-08-19/decrypt) + + [YARA_Rule_Bitter_Variant1_August_2019](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/Bitter/27-08-19/YARA_Rule_Bitter_Variant1_August_2019.txt)