eLearnSecurity Certified Malware Analysis Professional eCMAP Practice Exam, Exams of Technology

A malware research-focused exam involving static/dynamic analysis, reverse engineering malicious payloads, identifying persistence mechanisms, unpacking obfuscated malware, and producing threat intelligence reports. The labs include real-world malware samples in a safe environment.

Typology: Exams

2024/2025

Available from 12/03/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 132

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
eLearnSecurity Certified Malware Analysis
Professional eCMAP Practice Exam
**Question 1.** Which of the following best defines the primary goal of static
malware analysis?
A) To observe network traffic generated by the sample
B) To execute the sample in a sandbox and record its behavior
C) To extract information from the binary without running it
D) To modify the sample’s code to neutralize it
**Answer:** C
**Explanation:** Static analysis involves examining the malware file without
execution, focusing on attributes such as strings, imports, and file structure.
**Question 2.** In a typical malware analysis lab, why is a disposable virtual
machine preferred over a physical host?
A) It provides higher CPU performance
B) It eliminates the need for network isolation
C) It allows quick restoration to a clean state after infection
D) It prevents the need for any monitoring tools
**Answer:** C
**Explanation:** Disposable VMs can be reverted to snapshots, ensuring that any
changes made by malware are removed instantly, preserving a clean environment.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download eLearnSecurity Certified Malware Analysis Professional eCMAP Practice Exam and more Exams Technology in PDF only on Docsity!

Professional eCMAP Practice Exam

Question 1. Which of the following best defines the primary goal of static malware analysis? A) To observe network traffic generated by the sample B) To execute the sample in a sandbox and record its behavior C) To extract information from the binary without running it D) To modify the sample’s code to neutralize it Answer: C Explanation: Static analysis involves examining the malware file without execution, focusing on attributes such as strings, imports, and file structure. Question 2. In a typical malware analysis lab, why is a disposable virtual machine preferred over a physical host? A) It provides higher CPU performance B) It eliminates the need for network isolation C) It allows quick restoration to a clean state after infection D) It prevents the need for any monitoring tools Answer: C Explanation: Disposable VMs can be reverted to snapshots, ensuring that any changes made by malware are removed instantly, preserving a clean environment.

Professional eCMAP Practice Exam

Question 3. Which of the following file types is most commonly associated with Windows Portable Executable (PE) malware? A) .elf B) .apk C) .exe D) .jar Answer: C Explanation: Windows executables use the .exe extension and follow the PE format, making them the prevalent vector for Windows malware. Question 4. When calculating a file’s SHA‑256 hash for threat intelligence, which of the following statements is true? A) SHA‑256 is reversible, allowing recovery of the original file B) Two different files can never share the same SHA‑256 hash C) SHA‑256 provides a 256‑bit digest that is computationally infeasible to collide D) SHA‑256 is slower than MD5 but less secure Answer: C Explanation: SHA‑256 produces a 256‑bit hash; collisions are extremely unlikely, making it suitable for reliable file identification.

Professional eCMAP Practice Exam

Question 7. High entropy in the .text section of a PE file most likely indicates: A) The file is a script rather than an executable B) The presence of packed or encrypted code C) The file contains many debug symbols D) The file is signed with a digital certificate Answer: B Explanation: Packed or encrypted binaries exhibit high entropy because their data appears random, especially in executable sections. Question 8. Which of the following packers is known for adding a “UPX!” signature to the packed executable? A) ASPack B) MPRESS C) UPX D) Themida Answer: C Explanation: UPX (Ultimate Packer for Executables) inserts a recognizable “UPX!” marker in the packed file’s header.

Professional eCMAP Practice Exam

Question 9. When writing a YARA rule to detect a malware family, which component is NOT required? A) A rule name B) A condition block C) An import statement for external libraries D) At least one string identifier Answer: C Explanation: YARA rules do not require imports; they need a name, strings, and a condition that evaluates to true or false. Question 10. Which of the following is a common anti‑debugging API used by malware to detect debuggers? A) CreateProcessA B) IsDebuggerPresent C) GetSystemTime D) RegOpenKeyEx Answer: B Explanation: IsDebuggerPresent returns a Boolean indicating whether the current process is being debugged, making it a classic anti‑debug check.

Professional eCMAP Practice Exam

Question 13. A malware sample communicates with its C2 server over HTTPS on port 443. Which of the following analysis steps is most appropriate to capture the encrypted traffic? A) Use strings on the binary to locate the IP address B) Deploy Wireshark with a TLS decryption certificate C) Disable the network interface in the VM D) Replace the DNS server with a sinkhole Answer: B Explanation: Capturing HTTPS traffic requires TLS decryption (e.g., via a custom root certificate) to inspect the encrypted payload. Question 14. Which of the following network protocols is commonly abused by malware for covert C2 communication due to its ubiquity? A) FTP B) SMTP C) DNS D) Telnet Answer: C Explanation: DNS queries are often used for stealthy C2 because they blend with normal traffic and can encode data within query names.

Professional eCMAP Practice Exam

Question 15. Which Windows API function is used by malware to create a new thread in a remote process? A) CreateFileA B) WriteProcessMemory C) CreateRemoteThread D) SetWindowsHookEx Answer: C Explanation: CreateRemoteThread injects code into another process by spawning a thread that executes at a specified address. Question 16. In the context of x86 assembly, what does the instruction “PUSH ESP” accomplish? A) Saves the current stack pointer onto the stack B) Increments the stack pointer by one C) Loads the value of ESP into EAX D) Clears the stack Answer: A Explanation: PUSH ESP copies the current value of the ESP register onto the stack, effectively saving the stack pointer.

Professional eCMAP Practice Exam

Explanation: Setting a hardware breakpoint on writes to the .text section catches the moment the unpacked code is written into memory, allowing a dump. Question 19. Which of the following strings in a PE file most strongly suggests the presence of a ransomware component? A) “GetSystemDirectoryA” B) “AES256Encrypt” C) “CreateThread” D) “RegOpenKeyEx” Answer: B Explanation: “AES256Encrypt” indicates encryption routines, a core function of ransomware that encrypts victim files. Question 20. A malware sample checks for the presence of a virtual machine by querying the BIOS serial number. Which API is typically used for this purpose? A) GetSystemInfo B) GetVolumeInformation C) GetComputerNameEx D) GetSystemFirmwareTable Answer: D

Professional eCMAP Practice Exam

Explanation: GetSystemFirmwareTable can retrieve BIOS data, including serial numbers, which malware can compare against known VM identifiers. Question 21. Which of the following is NOT a typical indicator of a packed executable? A) Very low import count B) High entropy in the .text section C) Presence of a digital signature block D) Unusual section names such as “UPX0” Answer: C Explanation: A digital signature suggests a legitimate, signed binary, whereas packed files often lack signatures. Question 22. Which tool is best suited for creating a custom YARA rule based on extracted PE import functions? A) PEview B) yara-gen (YARA rule generator) C) Regshot D) Process Explorer Answer: B

Professional eCMAP Practice Exam

Explanation: Services are defined under HKLM\System\CurrentControlSet\Services; registering a malicious service ensures execution at boot. Question 25. Which of the following is a primary advantage of using REMnux as part of a malware analysis environment? A) It provides a Windows kernel debugger B) It includes a collection of Linux‑based malware analysis tools pre‑installed C) It automatically deobfuscates any Windows PE file D) It replaces the need for any virtual machines Answer: B Explanation: REMnux is a Linux distribution packed with tools such as peepdf, oletools, and radare2, facilitating analysis of various malware artifacts. Question 26. Which of the following API calls is most likely used by a keylogger to capture keystrokes? A) GetMessageA B) SetWindowsHookEx C) WriteFile D) CreateFileMapping

Professional eCMAP Practice Exam

Answer: B Explanation: SetWindowsHookEx can install a low‑level keyboard hook, enabling the capture of keystrokes. Question 27. During dynamic analysis, you notice a process creates a mutex named “Global{A1B2C3}”. What is the primary purpose of such a mutex? A) To encrypt files on the system B) To prevent multiple instances of the malware from running simultaneously C) To communicate with the C2 server D) To hide the process from Task Manager Answer: B Explanation: Malware often creates a named mutex to ensure only one instance runs, avoiding detection or conflicts. Question 28. Which of the following is a typical sign that a malware sample is using TLS for C2 communication? A) Plain‑text HTTP GET requests observed in Wireshark B] DNS queries with base64‑encoded subdomains C) Presence of “SChannel” imports in the PE file D) Frequent ICMP echo requests

Professional eCMAP Practice Exam

Answer: B Explanation: When a DLL is injected, a new thread often starts at an address inside the injected module; monitoring thread creation reveals this. Question 31. Which of the following techniques is used by malware to hide its network traffic by embedding data within legitimate protocols? A) Port knocking B) HTTP tunneling C) DNS tunneling D) ARP poisoning Answer: C Explanation: DNS tunneling encodes data in DNS queries/responses, allowing covert exfiltration or C2 communication. Question 32. Which Windows API function can be used by malware to determine if it is running under a debugger by checking the PEB (Process Environment Block) flag? A) NtQueryInformationProcess B) CheckRemoteDebuggerPresent C) GetCurrentProcessId D) GetVersionEx

Professional eCMAP Practice Exam

Answer: B Explanation: CheckRemoteDebuggerPresent reads the PEB’s “BeingDebugged” flag to detect a debugger. Question 33. Which of the following is NOT a typical persistence mechanism employed by Linux‑based malware? A) Cron jobs B) Systemd service files C) Registry Run keys D) Init.d scripts Answer: C Explanation: Linux does not use the Windows Registry; persistence is achieved via cron, systemd, or init scripts. Question 34. During analysis, you observe that a malware sample writes a file named “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe”. What persistence technique is being used? A) Scheduled task B) Startup folder C) Service registration

Professional eCMAP Practice Exam

D) File → Export → Rename Answer: C Explanation: In Ghidra’s Symbol Tree, right‑clicking a function allows renaming to improve analysis clarity. Question 37. Which of the following is the most likely purpose of a malware component that calls the API “CryptProtectData”? A) To encrypt data before exfiltration using Windows DPAPI B) To compress files before deletion C) To generate random numbers for keylogging D) To create a hidden registry key Answer: A Explanation: CryptProtectData uses Windows Data Protection API (DPAPI) to encrypt data, often used by malware to protect stolen information. Question 38. Which of the following best describes “Process Doppelgänging” as an evasion technique? A) Creating a duplicate process with the same PID B) Using a legitimate process image from the NTFS transaction log to execute malicious code without touching disk

Professional eCMAP Practice Exam

C) Injecting shellcode into a system service process D) Forking a child process that inherits debugger detection bypasses Answer: B Explanation: Process Doppelgänging abuses NTFS transaction mechanisms to run malicious code from a transacted file that never appears on disk. Question 39. When analyzing a malicious PowerShell script, which of the following indicators suggests it may be downloading additional payloads? A) Use of “Get-Process” cmdlet B) Invocation of “Invoke-WebRequest” or “IEX” with a URL C) Calls to “Set-ExecutionPolicy” only D) Definition of functions without calls Answer: B Explanation: “Invoke-WebRequest” fetches remote content, and “IEX” (Invoke‑Expression) can execute downloaded code, indicating payload retrieval. Question 40. Which of the following techniques can be used to bypass a malware’s check for a specific MAC address? A) Changing the MAC address of the analysis VM’s NIC to match the expected value