ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 31-08-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-02 00:23:13 +02:00 committed by GitHub
parent 6673a93f6b
commit c23cd7aa47
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
View File

@ -61,8 +61,19 @@
###### This process graph represents the cyber kill chain of Bitter sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "")
### Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
## Cyber Threat Intel<a name="Cyber-Threat-Intel"></a>
###### Since the last 2 weeks, the C2 domain have changed (.193 to .198) due to this are on the same subnet of the Verdina organization (Bulgaria cloud provider).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/IPloc.jpg "")
###### We can note on the WHOIS information that this registered in Ras al-khaimah location.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/infowhois.png "")
###### The location is placed in the business place of the city.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/loc.png "")
###### We can note that two phone numbers with the country indicate (Indian and Iranian) have the same address for two companies.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/mat1.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/mat2.PNG "")
###### In Ras al-Khaimah, there is no corporate tax, no profits, no customs duties, no inheritance tax, it is not excluding that the group Bitter chose this place as a tax haven for their operations.
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix
@ -100,3 +111,5 @@
+ [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff)
* Docs : <a name="Documents"></a>
+ [Bitter Analysis by Unit42](https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/)
+ [Tool for decoding the encoded strings of ArtraDownloader](https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/offshore%20APT%20organization/Bitter/27-08-19/decrypt)
+ [YARA_Rule_Bitter_Variant1_August_2019](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/Bitter/27-08-19/YARA_Rule_Bitter_Variant1_August_2019.txt)