




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A malware research-focused exam involving static/dynamic analysis, reverse engineering malicious payloads, identifying persistence mechanisms, unpacking obfuscated malware, and producing threat intelligence reports. The labs include real-world malware samples in a safe environment.
Typology: Exams
1 / 132
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which of the following best defines the primary goal of static malware analysis? A) To observe network traffic generated by the sample B) To execute the sample in a sandbox and record its behavior C) To extract information from the binary without running it D) To modify the sample’s code to neutralize it Answer: C Explanation: Static analysis involves examining the malware file without execution, focusing on attributes such as strings, imports, and file structure. Question 2. In a typical malware analysis lab, why is a disposable virtual machine preferred over a physical host? A) It provides higher CPU performance B) It eliminates the need for network isolation C) It allows quick restoration to a clean state after infection D) It prevents the need for any monitoring tools Answer: C Explanation: Disposable VMs can be reverted to snapshots, ensuring that any changes made by malware are removed instantly, preserving a clean environment.
Question 3. Which of the following file types is most commonly associated with Windows Portable Executable (PE) malware? A) .elf B) .apk C) .exe D) .jar Answer: C Explanation: Windows executables use the .exe extension and follow the PE format, making them the prevalent vector for Windows malware. Question 4. When calculating a file’s SHA‑256 hash for threat intelligence, which of the following statements is true? A) SHA‑256 is reversible, allowing recovery of the original file B) Two different files can never share the same SHA‑256 hash C) SHA‑256 provides a 256‑bit digest that is computationally infeasible to collide D) SHA‑256 is slower than MD5 but less secure Answer: C Explanation: SHA‑256 produces a 256‑bit hash; collisions are extremely unlikely, making it suitable for reliable file identification.
Question 7. High entropy in the .text section of a PE file most likely indicates: A) The file is a script rather than an executable B) The presence of packed or encrypted code C) The file contains many debug symbols D) The file is signed with a digital certificate Answer: B Explanation: Packed or encrypted binaries exhibit high entropy because their data appears random, especially in executable sections. Question 8. Which of the following packers is known for adding a “UPX!” signature to the packed executable? A) ASPack B) MPRESS C) UPX D) Themida Answer: C Explanation: UPX (Ultimate Packer for Executables) inserts a recognizable “UPX!” marker in the packed file’s header.
Question 9. When writing a YARA rule to detect a malware family, which component is NOT required? A) A rule name B) A condition block C) An import statement for external libraries D) At least one string identifier Answer: C Explanation: YARA rules do not require imports; they need a name, strings, and a condition that evaluates to true or false. Question 10. Which of the following is a common anti‑debugging API used by malware to detect debuggers? A) CreateProcessA B) IsDebuggerPresent C) GetSystemTime D) RegOpenKeyEx Answer: B Explanation: IsDebuggerPresent returns a Boolean indicating whether the current process is being debugged, making it a classic anti‑debug check.
Question 13. A malware sample communicates with its C2 server over HTTPS on port 443. Which of the following analysis steps is most appropriate to capture the encrypted traffic? A) Use strings on the binary to locate the IP address B) Deploy Wireshark with a TLS decryption certificate C) Disable the network interface in the VM D) Replace the DNS server with a sinkhole Answer: B Explanation: Capturing HTTPS traffic requires TLS decryption (e.g., via a custom root certificate) to inspect the encrypted payload. Question 14. Which of the following network protocols is commonly abused by malware for covert C2 communication due to its ubiquity? A) FTP B) SMTP C) DNS D) Telnet Answer: C Explanation: DNS queries are often used for stealthy C2 because they blend with normal traffic and can encode data within query names.
Question 15. Which Windows API function is used by malware to create a new thread in a remote process? A) CreateFileA B) WriteProcessMemory C) CreateRemoteThread D) SetWindowsHookEx Answer: C Explanation: CreateRemoteThread injects code into another process by spawning a thread that executes at a specified address. Question 16. In the context of x86 assembly, what does the instruction “PUSH ESP” accomplish? A) Saves the current stack pointer onto the stack B) Increments the stack pointer by one C) Loads the value of ESP into EAX D) Clears the stack Answer: A Explanation: PUSH ESP copies the current value of the ESP register onto the stack, effectively saving the stack pointer.
Explanation: Setting a hardware breakpoint on writes to the .text section catches the moment the unpacked code is written into memory, allowing a dump. Question 19. Which of the following strings in a PE file most strongly suggests the presence of a ransomware component? A) “GetSystemDirectoryA” B) “AES256Encrypt” C) “CreateThread” D) “RegOpenKeyEx” Answer: B Explanation: “AES256Encrypt” indicates encryption routines, a core function of ransomware that encrypts victim files. Question 20. A malware sample checks for the presence of a virtual machine by querying the BIOS serial number. Which API is typically used for this purpose? A) GetSystemInfo B) GetVolumeInformation C) GetComputerNameEx D) GetSystemFirmwareTable Answer: D
Explanation: GetSystemFirmwareTable can retrieve BIOS data, including serial numbers, which malware can compare against known VM identifiers. Question 21. Which of the following is NOT a typical indicator of a packed executable? A) Very low import count B) High entropy in the .text section C) Presence of a digital signature block D) Unusual section names such as “UPX0” Answer: C Explanation: A digital signature suggests a legitimate, signed binary, whereas packed files often lack signatures. Question 22. Which tool is best suited for creating a custom YARA rule based on extracted PE import functions? A) PEview B) yara-gen (YARA rule generator) C) Regshot D) Process Explorer Answer: B
Explanation: Services are defined under HKLM\System\CurrentControlSet\Services; registering a malicious service ensures execution at boot. Question 25. Which of the following is a primary advantage of using REMnux as part of a malware analysis environment? A) It provides a Windows kernel debugger B) It includes a collection of Linux‑based malware analysis tools pre‑installed C) It automatically deobfuscates any Windows PE file D) It replaces the need for any virtual machines Answer: B Explanation: REMnux is a Linux distribution packed with tools such as peepdf, oletools, and radare2, facilitating analysis of various malware artifacts. Question 26. Which of the following API calls is most likely used by a keylogger to capture keystrokes? A) GetMessageA B) SetWindowsHookEx C) WriteFile D) CreateFileMapping
Answer: B Explanation: SetWindowsHookEx can install a low‑level keyboard hook, enabling the capture of keystrokes. Question 27. During dynamic analysis, you notice a process creates a mutex named “Global{A1B2C3}”. What is the primary purpose of such a mutex? A) To encrypt files on the system B) To prevent multiple instances of the malware from running simultaneously C) To communicate with the C2 server D) To hide the process from Task Manager Answer: B Explanation: Malware often creates a named mutex to ensure only one instance runs, avoiding detection or conflicts. Question 28. Which of the following is a typical sign that a malware sample is using TLS for C2 communication? A) Plain‑text HTTP GET requests observed in Wireshark B] DNS queries with base64‑encoded subdomains C) Presence of “SChannel” imports in the PE file D) Frequent ICMP echo requests
Answer: B Explanation: When a DLL is injected, a new thread often starts at an address inside the injected module; monitoring thread creation reveals this. Question 31. Which of the following techniques is used by malware to hide its network traffic by embedding data within legitimate protocols? A) Port knocking B) HTTP tunneling C) DNS tunneling D) ARP poisoning Answer: C Explanation: DNS tunneling encodes data in DNS queries/responses, allowing covert exfiltration or C2 communication. Question 32. Which Windows API function can be used by malware to determine if it is running under a debugger by checking the PEB (Process Environment Block) flag? A) NtQueryInformationProcess B) CheckRemoteDebuggerPresent C) GetCurrentProcessId D) GetVersionEx
Answer: B Explanation: CheckRemoteDebuggerPresent reads the PEB’s “BeingDebugged” flag to detect a debugger. Question 33. Which of the following is NOT a typical persistence mechanism employed by Linux‑based malware? A) Cron jobs B) Systemd service files C) Registry Run keys D) Init.d scripts Answer: C Explanation: Linux does not use the Windows Registry; persistence is achieved via cron, systemd, or init scripts. Question 34. During analysis, you observe that a malware sample writes a file named “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe”. What persistence technique is being used? A) Scheduled task B) Startup folder C) Service registration
D) File → Export → Rename Answer: C Explanation: In Ghidra’s Symbol Tree, right‑clicking a function allows renaming to improve analysis clarity. Question 37. Which of the following is the most likely purpose of a malware component that calls the API “CryptProtectData”? A) To encrypt data before exfiltration using Windows DPAPI B) To compress files before deletion C) To generate random numbers for keylogging D) To create a hidden registry key Answer: A Explanation: CryptProtectData uses Windows Data Protection API (DPAPI) to encrypt data, often used by malware to protect stolen information. Question 38. Which of the following best describes “Process Doppelgänging” as an evasion technique? A) Creating a duplicate process with the same PID B) Using a legitimate process image from the NTFS transaction log to execute malicious code without touching disk
C) Injecting shellcode into a system service process D) Forking a child process that inherits debugger detection bypasses Answer: B Explanation: Process Doppelgänging abuses NTFS transaction mechanisms to run malicious code from a transacted file that never appears on disk. Question 39. When analyzing a malicious PowerShell script, which of the following indicators suggests it may be downloading additional payloads? A) Use of “Get-Process” cmdlet B) Invocation of “Invoke-WebRequest” or “IEX” with a URL C) Calls to “Set-ExecutionPolicy” only D) Definition of functions without calls Answer: B Explanation: “Invoke-WebRequest” fetches remote content, and “IEX” (Invoke‑Expression) can execute downloaded code, indicating payload retrieval. Question 40. Which of the following techniques can be used to bypass a malware’s check for a specific MAC address? A) Changing the MAC address of the analysis VM’s NIC to match the expected value