EEL 4804 Intro to Malware Reverse Engineering
62h is an operand in an instruction; its value in ASCII is "b", what is its representation in Octal, binary and decimal? a) Decimal: 98 Octal: 142 Binary: 1100010 b) Decimal: 9e Octal: 142 Binary: 1100010 c) Decimal: 98 Octal: 142 Binary: 1100210 d) Decimal: 98 Octal: 192 Binary: 1100010
a
A worm that has a repertoire of behavior patterns that are unleashed at different stages of propagation is called __________. a) Metamorphic Worms b) Heuristic Worms c) Intelligent Worms d) Semantic Worms
a
How are different types of malware classified? a) How they infect and propagate. b) How they are programmed and function. c) How fast they move and infect. d) Where they originate and move.
a
How is the file system function "CreateFile" used? a) This function is used to create and open files. b) This function is used for reading and writing to files. c) The "CreateFile" function loads a file from disk into memory. d) Represents a function that will be called by the Windows API.
a
What are Obfuscated programs? a) Obfuscated programs are ones whose execution the malware author has attempted to hide. b) Obfuscated programs are obscure illegal programs that were downloaded from torrent website. c) Obfuscated programs are those programs identified by antivirus programs as malicious. d) Obfuscated programs are
a
What are Packed programs? a) Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. b) Packed programs easier to analyze than obfuscated programs. c) Packed programs are not related to obfuscated programs. d) Packed programs are those that were created for the sole purpose to highjack any device virtually.
a
What are some commercially available plugins? a) Hex-Rays decompiler, and zynamics BinDiff. b) Maverick, and lion. c) Hawaii, and guam. d) Ubuntu, and kali.
a
What are some free-to-use sandboxes? a) Norman SandBox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, and Comodo Instant Malware Analysis. b) KALI, UBUNTU, RUBY, PYTHON, KMDO, and ORP. c) Penn-station, YLNO, EROC, elPrup, and GNUSMAS. d) No free-to-use sandboxes exist; however, they are very cheap to purchase.
a
What are some useful windows for analysis on IDA PRO? a) Function window, Names window, Imports window, and Exports windows. b) Function window, Surnames window, Imports window, and Exports windows. c) Function window, Names window, Imports window, and Domestics windows. d) Windows server, Names window, Imports window, and Exports windows.
a
What does the arithmetic operations "--, ++" do? a) They are used to decrement by 1 and increment by 1, respectively. b) They are used to increment by 1 and decrement by 1, respectively. c) They are used to perform subtraction and addition between two variables, respectively. d) They are used to perform addition and subtraction between two variables, respectively.
a
What is IDA PRO? a) An extremely powerful disassembler distributed by HexRays. b) An extremely powerful file system distributed by HexRays. c) An extremely powerful debugger distributed by HexRays. d) An extremely powerful assembler distributed by HexRays.
a
What is Process Explorer? a) Process Explorer monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships. b) Process Explorer is a tool that replaced Procmon, there is no use for procmon. c) Process Explorer shows all the processes not running on a system. d) Process explorer is another browser like Safari, windows explorer, and Firefox.
a
What is Windows API type "word" mean? a) A 16-bit unsigned value. b) A 32-bit unsigned value. c) A reference to an object. d) A pointer to another type.
a
What is a Hashing? a) Hashing is a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint). b) Hashing is a common method used to uniquely identify a file signature. c) Hashing is a numerical representation that only that particular file will generate. d) Hashing is what remains after a virus attack.
a
What is a file signature? a) A file signature is also known as suspicious code. b) Executive employees use file signatures to approve paperwork dealing with company official decisions. c) The government utilizes file signature to identify files created by every specific individual. d) End users utilize file signatures to claim ownership for files they created.
a
What is a global variable? a) Global variables can be accessed and used by any function in a program. b) Global variables cannot be accessed and used by any function in a program. c) Global variables can be accessed but not used by any function in a program. d) Global variables can be accessed only by the function in which they are defined.
a
What is a sandbox? a) A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming "real" systems. b) A sandbox is a an extremely powerful debugger. c) A sandbox is a tool that monitors the processes running on a system. d) A sandbox is a registry comparison tool that allows you to take and compare two registry snapshots.
a
What is microcode also known as? a) Firmware. b) Opcode. c) Digital Logic. d) Bytecode.
a
What is the Windows Registry? a) The Windows registry is used to store OS and program configuration information, such as settings and options. b) The Windows registry is used to store global variables. c) The Windows registry is used to store file format and processor architecture. d) The Windows registry is used to store functions for Windows API.
a
What is the goal of malware analysis? a) To determine exactly what a particular suspect binary can do, how to detect it on your network, and how to measure and contain its damage. b) Measure the damage that has been performed by the malware in order to provide a comprehensive report to managers. c) Run tools that are capable to identify malware infections with the purpose of segregating the malware. d) Build special files that can be launched to attack malware that has infected a network infrastructure.
a
What is the hex number in AX converted from the binary 1010 0001 1111 0101? a) A1F5 b) A1M5 c) 81Y5 d) 81F5
a
What is the purpose of the "adder" function? a) The function adder adds two arguments and returns the result. The main function calls adder and prints the result using printf. b) Programmers use the adder function to alter program execution based on certain conditions. c) The adder function is frequently used by malware authors to add until a condition is met, such as receiving a packet or command. d) The adder is used by programmers to define an ordered set of similar data items
a
What should you do before bringing a machines network into the Internet? a) Perform some static and dynamic analysis in order to evaluate how dangerous the malware is and what resources it might affect. b) It doesn't matter; the malware already is able to reach the Internet on its own. c) Ask other students if their machines were infected. d) Ask the professor, so he can evaluate how dangerous the malware is.
a
Where are Virtual machines installed? a) Virtual machines can be installed on any platform. b) Virtual machines can only be installed on Linux platforms. c) Virtual machines can only be installed on the servers. d) Virtual machines can only be installed on the "Cloud".*b) Virtual machines can be installed on any platform.
a
Which of these are performed to develop and detect malware infections on your network? a) Host and Network signatures. b) Firmware and BIOS. c) System and engine signatures. d) Temporal and spatial signatures.
a
Which type of analysis reverse-engineers the malware's internals by loading the executable into a disassembler and looks at the program instructions in order to discover what the program does? a) Advanced Static Analysis b) Basic Dynamic Analysis c) Advanced Dynamic Analysis d) Basic Static Analysis
a
Which type of analysis uses a debugger to examine the internal state of a running malicious executable? a) Advanced Dynamic Analysis b) Basic Dynamic Analysis c) Basic Static Analysis d) Advanced Dynamic Analysis
a
How does the instruction: "mov ecx, 0x42" translate to in opcode? a) R9 and 42 00 00 42 b) B9 and 42 00 00 00 c) F9 and 42 42 00 00 d) T9 and 42 00 42 00
b
How is the file system function "ReadFile and WriteFile" used? a) These function are used to create and open files. b) These functions are used for reading and writing to files. c) The "ReadFile and WriteFile" functions load a file from disk into memory. d) Represents functions that will be called by the Windows API.
b
Is malware able to detect if it is running in a virtual machine? a) Malware will never detect when it is running in a virtual machine. b) Malware often detects when it is running in a virtual machine, and if a virtual machine is detected, the malware might stop running or behave differently. c) Malware always detects when it is running in a virtual machine. d) Malware are artificial intelligence; they can detect my thoughts though the camera in my laptop.
b
Is the following an example of a local or global variable? int x = 1; int y = 2; void main() { x = x+y; printf("Total = %d\n", x); } a) Neither b) Global variable. c) Local variable. d) Both.
b
To avoid problems, what do most people use to test malware on physical machines? a) No tools exist to perform malware analysis on a physical machine. b) Norton Ghost, a tool to manage backup images of their operating systems. c) Windows restore, a tool to recover from OS crashes. d) Any machine is perfectly suitable to perform malware tests.
b
What are "arrays"? a) Programmers use arrays to alter program execution based on certain conditions. b) Arrays are used by programmers to define an ordered set of similar data items. Malware sometimes uses an array of pointers to strings that contain multiple hostnames that are used as options for connections. c) Arrays are used by programmers to define customized structure. d) The arrays add two arguments and returns the result. The main function calls adder and prints the result using printf.
b
What are heuristics? a) Heuristics consists of specifically ignoring behavioral and pattern-matching analysis to identify suspect files. b) Heuristics consists of identifying behavioral and pattern-matching analysis to identify suspect files. c) Heuristics is used to differentiate between hues of colors. d) Heuristics is a branch of analyzing hysteresis diagrams.
b
What are some Sandbox drawbacks? a) It requires a data center equipped with firewalls and cisco switches to perform the minimal tasks b) If the malware executable requires command-line options, it will not execute any code that runs only when an option is provided. c) Only Mr. Bill Gates is allowed to run sandboxes d) It requires 3 Intel Xserve machines to handle the load.
b
What are the 3 modules that IDAPython provides access? a) Idapy, idacpp, and idajv. b) Idaapi, idc, and idautils. c) Idaascii, idaoctl, and idabinar. d) Idacm, idarb, and idauif.
b
What is Regshot? a) Regshot is an open source registry deletion tool that allows you to delete registry entries made by malware. b) Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. c) Regshot is pay-to-use registry comparison tool that allows you to modify registry. d) Regshot is an open source registry tool that allows you to test malware into the school's website.
b
What is hardware level also known as? a) Firmware. b) Digital Logic. c) Bytecode. d) Opcode.
b
What is malware? a) Special type of software created by hackers to play games. b) Software that causes detriment to the user, computer, or network. c) Software that causes the hardware system to lay dormant for analysis. d) A software design approach to building software that utilizes entropy.
b
What is one of the biggest drawbacks of using virtual machine? a) They aren't real machines, they live in Google cloud and they can be hacked by black hat hackers. b) Once you revert to an old snapshot your work after that particular snapshot is lost. c) They only allow you to perform snapshots after you have ran dangerous malware. d) They only live in my ram at the moment I run the virtual machine.
b
What is the Unicode representation for "BAD"? a) 0042 0041 0044 0001 b) 4200 4100 4400 0000 c) 42 41 44 d) 42 41 44 00
b
What is the hex number in EAX converted from the binary 1010 1001 1101 1100 1000 0001 1111 0101? a) A9DC21F5 b) A9DC81F5 c) A9XC81F7 d) A9DC81F2
b
Can IDA Pro use IDC and Python scripting? a) Yes, only you created he script. b) No, they run on different platforms. c) Yes, without restrictions. d) Yes, only after the $3000 optional plugin is purchased.
c
How is the "if" statement used? a) The "if" statement is frequently used by malware authors to loop until a condition is met, such as receiving a packet or command. b) The "if" statement adds two arguments and returns the result. The main function calls adder and prints the result using printf. c) Programmers use if statements to alter program execution based on certain conditions. d) "If" statements are used by programmers to define an ordered set of similar data items.
c
How is the file system function "CreateFileMapping" used? a) This function is used to create and open files. b) This function is used for reading and writing to files. c) Malware writers commonly use file mappings because they allow a file to be loaded into memory and manipulated easily. d) Represents a function that will be called by the Windows API.
c
How is the file system function "MapViewOfFile" used? a) This function is used to create and open files. b) This function is used for reading and writing to files. c) This feature is extremely handy when parsing a file format, because you can easily jump to different memory addresses. d) Represents a function that will be called by the Windows API.
c
In what order should you perform malware Analysis techniques? a) Basic Static, Advanced Static, Basic Dynamic and Advanced Dynamic b) The order does not matter c) Basic Static, Basic Dynamic, Advanced Static and Advanced Dynamic d) Basic Static, Advanced Dynamic, Basic Dynamic and Advanced Static
c
Is it possible to modify disassembly in IDA PRO? a) Yes, only if you have the original code. b) Yes, only from school owner machines. c) Yes, without restrictions. d) Yes, only between 3pm and 9pm everyday.
c
Typically what is a good size for a virtual hard disk? a) 39.6GB b) 3TB c) 20GB d) 67.26GB
c
What are air-gapped networks? a) An unsafe environment that allows for investigating malware exposing your machine with expected risk. b) Ideal environments for many pieces of malware who depend on a live Internet connection for updates, command and control, and other features. c) Air-gapped networks are isolated networks with machines that are disconnected from the Internet or any other networks to prevent malware from spreading. d) Wireless fidelity and cellular networks are classified as air-gapped networks.
c
What are handles? a) Handles allow you to delete registry entries made by malware. b) Handles are used to alter program execution based on certain conditions. c) Handles are items that have been opened or created in the OS, such as a window, process, module, menu, file, and so on. d) Handles are used to define an ordered set of similar data items.
c
What are other Sandbox drawbacks concerning backdoors and recording events? a) Backdoors will always be launched on a sandbox because it always records all events. b) Recording all events and backdoors are the same thing. c) The backdoor will not be launched in the sandbox. The sandbox also may not record all events. d) Backdoors do not exist; sandboxes always record all events.
c
What does IDA PRO do when loading an executable? a) IDA Pro will try to recognize the file's owner and processor architecture. b) IDA Pro will try to ignore the file's format and time stamp. c) IDA Pro will try to recognize the file's format and processor architecture. d) IDA Pro will try to recognize the file's format and time stamp.
c
What is a Virustotal.com? a) VirusTotal generates a report of all the viruses that ever infected your machine. b) VirusTotal generates viruses to infect unsuspecting individuals to teach them to secure their belongings. c) VirusTotal generates a report that provides the total number of engines that marked the file as malicious, the malware name, and, if available, additional information about the malware. d) VirusTotal is a tool that can be installed on any machine to protect from malware.
c
What is rebasing? a) Rebasing is the process of performing some static and dynamic analysis in order to evaluate how dangerous is the malware and what resources it might affect. b) Rebasing is the process of converting hexadecimal to decimal. c) PE files are compiled to load at a preferred base address in memory, and if the Windows loader can't load it at its preferred address (because the address is already taken), the loader will perform an operation known as rebasing. d) Rebasing is the process of creating programs at the high-level language level and using a compiler to generate machine code.
c
What is the WinInet API? a) The WinINet API is the current Windows way to use libraries to share code among multiple applications. b) The WinINet API is used as containers to manage resources and keep separate programs from interfering with each other. c) The WinINet API implements protocols, such as HTTP and FTP, at the application layer. d) The WinINet API is the container for execution, but threads are what the Windows OS executes.
c
What is the procmon (Process Monitor)? a) A browser like Safari, windows explorer, and Firefox. b) A powerful disassembler. c) An advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. d) A registry deletion tool that allows you to delete registry entries made by malware.
c
When should you take snapshot of your virtual machine? a) When there is an image I want to put on my lab report. b) Whenever I see something interesting and I feel like taking a selfie. c) When I complete the OS installation, when I have installed the required tools for the examination, and after I run the analysis. d) Every 5 minutes; no matter what I am doing on the machine.
c
Which type of analysis consists of examining the executable file without viewing the actual instructions? a) Advanced Dynamic Analysis b) Advanced Static Analysis c) Basic Static Analysis d) Basic Dynamic Analysis
c
Which type of analysis involves running the malware and observing its behavior on the system? a) Advanced Static Analysis b) Advanced Dynamic Analysis c) Basic Dynamic Analysis d) Basic Static Analysis
c
Can malware run on any environment? a) The sandbox environment OS will always be correct for the malware. b) Yes, malware can run on any environment. c) The sandbox environment OS will never be correct for the malware. d) The sandbox environment OS may not be correct for the malware. For example, the malware might crash on Windows XP but run correctly in Windows 7.
d
How do malware authors create programs? What happens to the program they write? How do malware analysts and reverse engineers reverse the process? a) Malware authors create programs at the low-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the low-level language level. b) Malware authors create programs after getting infected with irreversible malware and use Trojans to generate machine code to be run by the RAM. Conversely, malware analysts and reverse engineers operate at the python language level. c) Malware authors create programs at the high-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the high-level language level. d) Malware authors create programs at the high-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the low-level language level.
d
How does static analysis differ from dynamic analysis? a) Dynamic analysis is the process that the analyst performs without moving and mechanical parts. b) Dynamic analysis describes the process of analyzing the code or structure of a program to determine its function. The program itself is not run at this time. c) Dynamic analysis describes the process of analyzing hardware purely made with solid-state devices. d) When performing dynamic analysis, the analyst actually runs the program.
d
If you are running multiple virtual machines and you need them to communicate, what sort of network connection should they have? a) No connection b) WPA2 c) NAT d) VMNet
d
Is Network Address Translation the same as Bridged Network Adapter? a) It depends on the operations system the virtualization tool is installed on. b) It depends on the virtualization tool you use c) No d) Yes
d
What are some components of the x86 architecture according to the Von Neumann Architecture? a) CPS, RAM, registers, ALF, Control Unit, and Input/Output devices. b) CLS, ROM, registers, ALU, Control Unit, and Import/Export devices. c) CFU, RTM, registers, ALU, Control Unit, and Import/Export devices. d) CPU, RAM, registers, ALU, Control Unit, and Input/Output devices.
d
What are some examples of interpreted languages? a) C++, C, ruby, and Java b) C++, C#, Python, and Java c) C++, Perl, .NET, and Java d) C#, Perl, .NET, and Java
d
What does machine code consist of? a) Bytecodes, binary digits that tell the processor what you want it to do. b) Digital logic, octal digits that tell the processor what you want it to do. c) Firmware, decimal digits that tell the processor what you want it to do. d) Opcodes, hexadecimal digits that tell the processor what you want it to do.
d
What does the arithmetic instruction: "add eax, ebx" do? a) Addresses EBX to EAX and stores the result in EAX. b) Adds EBX to EAX and stores the result in ECX. c) Adds EAX to EBX and stores the result in EBX. d) Adds EBX to EAX and stores the result in EAX.
d
What does the arithmetic operations "%" do? a) The "%" operation performs the modulo between the two variables, which is the remainder after performing a multiplication operation. b) The "%" operation performs the multiplication between the two variables. c) The "%" operation performs the division between the two variables. d) The "%" operation performs the modulo between the two variables, which is the remainder after performing a division operation.
d
What is Code construct? a) A code construct is a code low level that defines the details of its implementation. b) A code construct is a code high level that defines the details of its implementation. c) A code construct is a code instruction level that defines a functional property. d) A code construct is a code abstraction level that defines a functional property but not the details of its implementation.
d
What is Regedit? a) An open source registry comparison tool that allows you to take and compare two registry snapshots. b) An open source registry deletion tool that allows you to delete registry entries made by malware. c) A tool that monitors the processes running on a system. d) A built-in Windows tool used to view and edit the registry.
d
What is Windows API type "callback" mean? a) A 32-bit unsigned value. b) A reference to an object. c) A pointer to another type. d) Represents a function that will be called by the Windows API.
d
What is a dynamic virtual Disk? a) Dynamic virtual disks are partitions that are only setup on solid-state devices (SSDs). b) Dynamic virtual disks are partitions that are only setup on high-density drives (HDDs). c) Dynamic virtual disks are determined solely by the tasks to be executed. d) Dynamic virtual disks are used based on the need for storage.
d
What is a local variable? a) Local variables cannot be accessed by the function in which they are defined. b) Local variables can be accessed and used by any function in a program. c) Local variables can be accessed but not used by any function in a program. d) Local variables can be accessed only by the function in which they are defined.
d
What is static analysis? a) Static analysis describes the process of analyzing the code or structure of a program to determine its function. The program itself runs at this time. b) Static analysis describes the process of analyzing hardware with electro-static energy in mind. c) Static analysis is the process that the analyst performs without moving mechanical parts. d) Static analysis describes the process of analyzing the code or structure of a program to determine its function. The program itself is not run at this time.
d
What is the ASII representation for "BAD"? a) 4200 4100 4400 0000 b) 0042 0041 0044 0001 c) 42 41 44 d) 42 41 44 00
d
What is the purpose of "while loops"? a) Programmers use the while loops to alter program execution based on certain conditions. b) The while loops adds two arguments and returns the result. The main function calls adder and prints the result using printf. c) "while" loops are used by programmers to define an ordered set of similar data items. d) The while loop is frequently used by malware authors to loop until a condition is met, such as receiving a packet or command.
d
What kind of tasks does IDA PRO perform? a) IDA Pro performs tasks such as function discovery, stack analysis, global variable identification, etc. b) IDA Pro performs tasks such as function hiding, stack analysis, local variable identification, etc. c) IDA Pro performs tasks such as function discovery, stack mixing, local variable identification, etc. d) IDA Pro performs tasks such as function discovery, stack analysis, local variable identification, etc.
d
What two legacy tools were Procmon? a) Macintosh and Windows. b) Procure and Mondays. c) Linux and Ruby. d) FileMon and RegMon.
d