Problem
Threat Intelligence Card
1. Source IP/Port: 188.124.9.56:80
2. Destination Address/Port: 192.168.3.35:1035
3. Event Message: ET TROJAN JS/Nemucod.M.gen downloading EXE payload
I. What was the indicator of an attack?
II. What was the adversarial motivation (purpose of attack)?
III. Describe observations and indicators that may be related to the perpetrators of the intrusion. Categorize your insights according to the appropriate stage of the cyber kill chain, as structured in the following table.
• How did the attacker locate the victim?
• What was it that was downloaded?
• How was it downloaded?
• What does the exploit do?
• How is the exploit installed?
• How does the attacker gain control of the remote machine?
• What does the software that the attacker sent do to complete its tasks?
• What are your recommended mitigation strategies?