EEL4804 Final
What is the ASCII representation for "BAD"?
42 41 44 00
What is the procmon (Process Monitor)? -A browser like Safari, windows explorer, and Firefox. -An advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity. -A powerful disassembler. -A registry deletion tool that allows you to delete registry entries made by malware.
An advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity.
What is hardware level also known as? -Opcode. -Firmware. -Digital Logic. -Bytecode.
Digital Logic.
What is a local variable? -Local variables cannot be accessed by the function in which they are defined. -Local variables can be accessed and used by any function in a program. -Local variables can be accessed but not used by any function in a program. -Local variables can be accessed only by the function in which they are defined.
Local variables can be accessed only by the function in which they are defined.
What are other Sandbox drawbacks concerning backdoors and recording events? -The backdoor will not be launched in the sandbox. The sandbox also may not record all events. -Backdoors will always be launched on a sandbox because it always records all events. -Recording all events and backdoors are the same thing. -Backdoors do not exist; sandboxes always record all events.
The backdoor will not be launched in the sandbox. The sandbox also may not record all events.
What is the purpose of "while loops"? -Programmers use the while loops to alter program execution based on certain conditions. -The while loops adds two arguments and returns the result. The main function calls adder and prints the result using printf. -"while" loops are used by programmers to define an ordered set of similar data items. -The while loop is frequently used by malware authors to loop until a condition is met, such as receiving a packet or command.
The while loop is frequently used by malware authors to loop until a condition is met, such as receiving a packet or command.
How is the file system function "MapViewOfFile" used? -This function is used to create and open files. -This function is used for reading and writing to files. -This feature is extremely handy when parsing a file format, because you can easily jump to different memory addresses. -Represents a function that will be called by the Windows API.
This feature is extremely handy when parsing a file format, because you can easily jump to different memory addresses.
How is the file system function "CreateFile" used? -This function is used to create and open files. -This function is used for reading and writing to files. -The "CreateFile" function loads a file from disk into memory. -Represents a function that will be called by the Windows API.
This function is used to create and open files.
What is the goal of malware analysis?
To determine exactly what a particular suspect binary can do, how to detect it on your network, and how to contain its damage.
What is an example of Netcat as reverse shell? - nc -2-p 65031 - nc -l -p 80 -nc -l -p 80808 - nc -7 -p 443
nc -l -p 80
If you are running multiple virtual machines and you need them to communicate, what sort of network connection should they have? -WPA2 -No connection -NAT -VMNet
VMNet
Where are Virtual machines installed? -Virtual machines can only be installed on the "Cloud".*b) Virtual machines can be installed on any platform. -Virtual machines can only be installed on the servers. -Virtual machines can be installed on any platform. -Virtual machines can only be installed on Linux platforms.
Virtual machines can be installed on any platform.
What is the WinInet API? -The WinINet API is the current Windows way to use libraries to share code among multiple applications. -The WinINet API is used as containers to manage resources and keep separate programs from interfering with each other. -The WinINet API implements protocols, such as HTTP and FTP, at the application layer. -The WinINet API is the container for execution, but threads are what the Windows OS executes.
The WinINet API implements protocols, such as HTTP and FTP, at the application layer.
What is the Windows Registry? -The Windows registry is used to store OS and program configuration information, such as settings and options. -The Windows registry is used to store global variables. -The Windows registry is used to store file format and processor architecture. -The Windows registry is used to store functions for Windows API.
The Windows registry is used to store OS and program configuration information, such as settings and options.
What are packed programs? -those that were created for the sole purpose to hijack any device virtually. -not related to obfuscated programs. -easier to analyze than obfuscated programs. -a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed.
a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed.
What are some examples of interpreted languages? -C++, C#, Python, and Java C++, Perl, .NET, and Java C#, Perl, .NET, and Java C++, C, ruby, and Java
C#, Perl, .NET, and Java
Typically what is a good size for a virtual hard disk? -3TB -39.6GB -20GB -67.26GB
20GB
What is the unicode representation for BAD?
4200 4100 4400 0000
What is the hex number in AX converted from the binary 1010 0001 1111 0101? -A1M5 -81F5 -A1F5 -81Y5
81F5
What is Windows API type "word" mean? -A 16-bit unsigned value. -A 32-bit unsigned value. -A reference to an object. -A pointer to another type.
A 16-bit unsigned value.
What is Regedit? -An open source registry comparison tool that allows you to take and compare two registry snapshots. -An open source registry deletion tool that allows you to delete registry entries made by malware. -A tool that monitors the processes running on a system. -A built-in Windows tool used to view and edit the registry.
A built-in Windows tool used to view and edit the registry.
What is Code construct? -A code construct is a code low level that defines the details of its implementation. -A code construct is a code high level that defines the details of its implementation. -A code construct is a code instruction level that defines a functional property. -A code construct is a code abstraction level that defines a functional property but not the details of its implementation.
A code construct is a code abstraction level that defines a functional property but not the details of its implementation.
What is a file signature? -End users utilize file signatures to claim ownership for files they created -executive employers use file signatures to approve paperwork dealing with company official decisions -The government utilizes file signature to identify files created by every specific individual. -A file signature is also known as suspicious code.
A file signature is also known as suspicious code.
What is Reverse Shell? -A reverse shell is a technique that malware uses to modify registry information. -A reverse shell is a connection that originates from an infected machine and provides attackers shell access to that machine. -A reverse shell is a library developed by Microsoft Research in 1999. It was originally intended as a way to easily instrument and extend existing OS and application functionality. -A reverse shell is used to store OS and program configuration information, such as settings and options.
A reverse shell is a connection that originates from an infected machine and provides attackers shell access to that machine.
What is a sandbox? -A sandbox is a tool that monitors the processes running on a system. -A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming "real" systems. -A sandbox is a registry comparison tool that allows you to take and compare two registry snapshots. -A sandbox is a an extremely powerful debugger.
A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming "real" systems.
What is the hex number in EAX converted from the binary 1010 1001 1101 1100 1000 0001 1111 0101? -A9XC81F7 -A9DC21F5 -A9DC81F2 -A9DC81F5
A9DC81F5
What does the arithmetic instruction: "add eax, ebx" do? -Adds EBX to EAX and stores the result in ECX. -Adds EAX to EBX and stores the result in EBX. -Addresses EBX to EAX and stores the result in EAX. -Adds EBX to EAX and stores the result in EAX.
Adds EBX to EAX and stores the result in EAX.
Which type of analysis uses a debugger to examine the internal state of a running malicious executable? -Advanced Dynamic analysis -Basic static analysis -Advanced dynamic analysis -basic dynamic analysis
Advanced dynamic analysis
What are air-gapped networks? -An unsafe environment that allows for investigating malware exposing your machine with expected risk. -Air-gapped networks are isolated networks with machines that are disconnected from the Internet or any other networks to prevent malware from spreading. -Ideal environments for many pieces of malware who depend on a live Internet connection for updates, command and control, and other features. -Wireless fidelity and cellular networks are classified as air-gapped networks.
Air-gapped networks are isolated networks with machines that are disconnected from the Internet or any other networks to prevent malware from spreading.
What are some types of credential Stealers? -Programs that wait for a user to log in in order to steal their credentials -Programs that dump information stored in Windows, such as password hashes, to be used directly or cracked offline -Programs that log keystrokes -All of the above
All of the above
What is IDA PRO? -An extremely powerful assembler distributed by HexRays. -An extremely powerful disassembler distributed by HexRays. -An extremely powerful debugger distributed by HexRays. -An extremely powerful file system distributed by HexRays.
An extremely powerful disassembler distributed by HexRays.
What are "arrays"? -Programmers use arrays to alter program execution based on certain conditions. -Arrays are used by programmers to define an ordered set of similar data items. Malware sometimes uses an array of pointers to strings that contain multiple hostnames that are used as options for connections. -Arrays are used by programmers to define customized structure. -The arrays add two arguments and returns the result. The main function calls adder and prints the result using printf.
Arrays are used by programmers to define an ordered set of similar data items. Malware sometimes uses an array of pointers to strings that contain multiple hostnames that are used as options for connections.
How does the instruction: "mov ecx, 0x42" translate to in opcode? -B9 and 42 00 00 00 -T9 and 42 00 42 00 -F9 and 42 42 00 00 -R9 and 42 00 00 42
B9 and 42 00 00 00
What is Backdoor? -Backdoor is a type of malware that sets itself or another piece of malware for immediate or future covert execution. The goal is to set up things so that the malicious behavior is concealed from a user. -Backdoor simply downloads another piece of malware from the Internet and execute it on the local system. It is often packaged with an exploit. It commonly uses the Windows API URLDownloadtoFileA, followed by a call to WinExec to download and execute the new malware. -Backdoor is a type of malware that provides an attacker with remote access to a victim's machine. -Backdoor is used to manage a computer or computers. It is often used in targeted attacks with specific goals, such as stealing information to blackmail or moving laterally across a network.
Backdoor is a type of malware that provides an attacker with remote access to a victim's machine.
Which type of analysis involves running the malware and observing its behavior on the system? -Basic Static Analysis -Advanced dynamic analysis -advanced static analysis -basic dynamic analysis
Basic Dynamic Analysis
In what order should you perform malware analysis techniques? -Basic Static, Advanced Dynamic, Basic Dynamic, and Advanced Static -Basic Static, Advanced Static, Basic Dynamic, and Advanced Dynamic. -Basic Static, Basic Dynamic, Advanced Static, and Advanced Dynamic -The order does not matter
Basic Static, Advanced Static, Basic Dynamic, and Advanced Dynamic.
What are some components of the x86 architecture according to the Von Neumann Architecture? -CFU, RTM, registers, ALU, Control Unit, and Import/Export devices. -CLS, ROM, registers, ALU, Control Unit, and Import/Export devices. -CPU, RAM, registers, ALU, Control Unit, and Input/Output devices. -CPS, RAM, registers, ALF, Control Unit, and Input/Output devices.
CPU, RAM, registers, ALU, Control Unit, and Input/Output devices.
What are heuristics? -Consists of specifically ignoring behavioral and pattern-matching analysis to identify suspect files. -Consists of identifying the behavioral and pattern-matching analysis to identify suspect files. -a branch of analyzing hysteresis diagrams. -used to differentiate between hues of colors.
Consists of identifying the behavioral and pattern-matching analysis to identify suspect files.
Is the following an example of a local or global variable? int x = 1; int y = 2; void main() { x = x+y; printf("Total = %d\n", x); } Neither Global variable. Local variable. Both.
Global variable.
What is DLL injection? -DLL injection is a form of process injection where a remote process is forced to load a malicious DLL; it is the most commonly used covert loading technique. -DLL injection involves allocating and inserting code into the memory space of a remote process. It uses many of the same Windows API calls as Direct injection. -DLL injection describes a way to load malware that takes advantage of Windows hooks, which are used to intercept messages destined for applications. -DLL injection is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
DLL injection is a form of process injection where a remote process is forced to load a malicious DLL; it is the most commonly used covert loading technique.
62h is an operand in an instruction; its value in ASCII is "b", what is its representation in Octal, binary and decimal? -Decimal: 98 Octal: 192 Binary: 1100010 -Decimal: 98 Octal: 142 Binary: 1100210 -Decimal: 98 Octal: 142 Binary: 1100010 -Decimal: 9e Octal: 142 Binary: 1100010
Decimal: 98 Octal: 142 Binary: 1100010
What is a global variable? -Global variables can be accessed and used by any function in a program. -Global variables cannot be accessed and used by any function in a program. -Global variables can be accessed but not used by any function in a program. -Global variables can be accessed only by the function in which they are defined.
Global variables can be accessed and used by any function in a program.
What is static analysis?
Describes the process of analyzing the code or structure of a program to determine its function. The program itself is not run at this time.
What is Detours? -Detours is a technique that malware uses to steal user credentials on Windows XP. -Detours is a technique that malware uses to modify registry information. -Detours is a library developed by Microsoft Research in 1999. It was originally intended as a way to easily instrument and extend existing OS and application functionality. The Detours library makes it possible for a developer to make application modifications simply. -Detours is an x86 debugger; which provides the ability to analyze malware while it is running.
Detours is a library developed by Microsoft Research in 1999. It was originally intended as a way to easily instrument and extend existing OS and application functionality. The Detours library makes it possible for a developer to make application modifications simply.
What is Direct Injection? -Direct injection describes a way to load malware that takes advantage of Windows hooks, which are used to intercept messages destined for applications. -Direct injection involves allocating and inserting code into the memory space of a remote process. It uses many of the same Windows API calls as DLL injection. -Direct injection is a form of process injection where a remote process is forced to load a malicious DLL; it is the most commonly used covert loading technique. -Direct injection is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
Direct injection involves allocating and inserting code into the memory space of a remote process. It uses many of the same Windows API calls as DLL injection.
What is Downloader? -Downloader is a type of malware that sets itself or another piece of malware for immediate or future covert execution. The goal is to set up things so that the malicious behavior is concealed from a user. -Downloader simply downloads another piece of malware from the Internet and execute it on the local system. It is often packaged with an exploit. It commonly uses the Windows API URLDownloadtoFileA, followed by a call to WinExec to download and execute the new malware. -Downloader is a type of malware that provides an attacker with remote access to a victim's machine. -Downloader is used to manage a computer or computers. It is often used in targeted attacks with specific goals, such as stealing information to blackmail or moving laterally across a network.
Downloader simply downloads another piece of malware from the Internet and execute it on the local system. It is often packaged with an exploit. It commonly uses the Windows API
What is a dynamic virtual Disk? -Dynamic virtual disks are used based on the need for storage. -Dynamic virtual disks are partitions that are only setup on solid-state devices (SSDs). -Dynamic virtual disks are partitions that are only setup on high-density drives (HDDs). -Dynamic virtual disks are determined solely by the tasks to be executed.
Dynamic virtual disks are used based on the need for storage.
What two legacy tools were Procmon? -Linux and Ruby. -FileMon and RegMon. -Macintosh and Windows. -Procure and Mondays.
FileMon and RegMon.
What is microcode also known as? -Opcode. -Firmware. -Bytecode. -Digital Logic.
Firmware.
What are some useful windows for analysis on IDA PRO? -Function window, Names window, Imports window, and Domestics windows. -Function window, Names window, Imports window, and Exports windows. -Windows server, Names window, Imports window, and Exports windows. -Function window, Surnames window, Imports window, and Exports windows.
Function window, Names window, Imports window, and Exports windows.
What are handles? -Handles allow you to delete registry entries made by malware. -Handles are used to alter program execution based on certain conditions. -Handles are items that have been opened or created in the OS, such as a window, process, module, menu, file, and so on. -Handles are used to define an ordered set of similar data items.
Handles are items that have been opened or created in the OS, such as a window, process, module, menu, file, and so on.
What are some commercially available plugins? -Hex-Rays decompiler, and zynamics BinDiff. -Hawaii, and guam. -Ubuntu, and kali. -Maverick, and lion.
Hex-Rays decompiler, and zynamics BinDiff.
What is Hook Injection? -Hook injection involves allocating and inserting code into the memory space of a remote process. It uses many of the same Windows API calls as DLL injection. -Hook injection describes a way to load malware that takes advantage of Windows hooks, which are used to intercept messages destined for applications. -Hook injection is a form of process injection where a remote process is forced to load a malicious DLL; it is the most commonly used covert loading technique. -Hook injection is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
Hook injection describes a way to load malware that takes advantage of Windows hooks, which are used to intercept messages destined for applications.
How are Hooks and keyloggers used? -Hook injection is frequently used in malicious applications known as keyloggers. It forces a remote process to load a malicious DLL, which dump information stored in Windows. -Hook injection is frequently used in malicious applications known as keyloggers. It involves allocating and inserting code into the memory space of a remote process. -Hook injection is frequently used in malicious applications known as keyloggers. It forces a remote process to load a malicious DLL, which include high- or low-level hooks to capture keystrokes. -Hook injection is frequently used in malicious applications known as keylogger. Keystrokes can be captured by registering high- or low-level hooks.
Hook injection is frequently used in malicious applications known as keylogger. Keystrokes can be captured by registering high- or low-level hooks.
Which of these are performed to develop and detect malware infections on your network? -Host and Network signatures -Temporal and spatial signatures -System and engine signatures -Firmware and BIOS
Host and Network signatures.
How are different types of malware classified? -How they are programmed and function -How fast they move and infect -How they infect and propagate -Where they originate and move
How they infect and propagate
What kind of tasks does IDA PRO perform? -IDA Pro performs tasks such as function discovery, stack analysis, global variable identification, etc. -IDA Pro performs tasks such as function hiding, stack analysis, local variable identification, etc. -IDA Pro performs tasks such as function discovery, stack mixing, local variable identification, etc. -IDA Pro performs tasks such as function discovery, stack analysis, local variable identification, etc.
IDA Pro performs tasks such as function discovery, stack analysis, local variable identification, etc.
What does IDA PRO do when loading an executable? -IDA Pro will try to recognize the file's owner and processor architecture. -IDA Pro will try to recognize the file's format and processor architecture. -IDA Pro will try to recognize the file's format and time stamp. -IDA Pro will try to ignore the file's format and time stamp.
IDA Pro will try to recognize the file's format and processor architecture.
What are the 3 modules that IDAPython provides access? -Idacm, idarb, and idauif. -Idaapi, idc, and idautils. -Idaascii, idaoctl, and idabinar. -Idapy, idacpp, and idajv.
Idaapi, idc, and idautils.
What are some Sandbox drawbacks? -It requires a data center equipped with firewalls and cisco switches to perform the minimal tasks -It requires 3 Intel Xserve machines to handle the load. -Only Mr. Bill Gates is allowed to run sandboxes -If the malware executable requires command-line options, it will not execute any code that runs only when an option is provided.
If the malware executable requires command-line options, it will not execute any code that runs only when an option is provided.
What is APC injection from kernel space? -Malware authors perform APC injection from kernel space to get their code execution in kernel. -Malware authors perform APC injection from kernel space to get their code execution in background space. -Malware authors perform APC injection from user space to get their code execution in kernel. -Malware authors perform APC injection from kernel space to get their code execution in user space.
Malware authors perform APC injection from kernel space to get their code execution in user space.
Is Network Address Translation the same as Bridged Network Adapter? -It depends on the operations system the virtualization tool is installed on. -Yes -No -It depends on the virtualization tool you use
It depends on the virtualization tool you use
What is Launcher? -Launcher (also known as a loader) is used to manage a computer or computers. It is often used in targeted attacks with specific goals, such as stealing information to blackmail or moving laterally across a network. -Launcher (also known as a loader) is a type of malware that sets itself or another piece of malware for immediate or future covert execution. The goal is to set up things so that the malicious behavior is concealed from a user. -Launcher (also known as a loader) is a type of malware that provides an attacker with remote access to a victim's machine. -Launcher (also known as a loader) simply downloads another piece of malware from the Internet and execute it on the local system. It is often packaged with an exploit. It commonly uses the Windows API URLDownloadtoFileA, followed by a call to WinExec to download and execute the new malware.
Launcher (also known as a loader) is a type of malware that sets itself or another piece of malware for immediate or future covert execution. The goal is to set up things so that the malicious behavior is concealed from a user.
How do malware authors create programs? What happens to the program they write? How do malware analysts and reverse engineers reverse the process? -Malware authors create programs at the high-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the low-level language level. -Malware authors create programs at the low-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the low-level language level. -Malware authors create programs after getting infected with irreversible malware and use Trojans to generate machine code to be run by the RAM. Conversely, malware analysts and reverse engineers operate at the python language level. -Malware authors create programs at the high-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the high-level language level.
Malware authors create programs at the high-level language level and use a compiler to generate machine code to be run by the CPU. Conversely, malware analysts and reverse engineers operate at the low-level language level.
Is malware able to detect if it is running in a virtual machine? -Malware are artificial intelligence; they can detect my thoughts though the camera in my laptop. -Malware often detects when it is running in a virtual machine, and if a virtual machine is detected, the malware might stop running or behave differently. -Malware will never detect when it is running in a virtual machine. -Malware always detects when it is running in a virtual machine.
Malware often detects when it is running in a virtual machine, and if a virtual machine is detected, the malware might stop running or behave differently.
How is the file system function "CreateFileMapping" used? -This function is used to create and open files. -This function is used for reading and writing to files. -Malware writers commonly use file mappings because they allow a file to be loaded into memory and manipulated easily. -Represents a function that will be called by the Windows API.
Malware writers commonly use file mappings because they allow a file to be loaded into memory and manipulated easily.
What is GINA? -Microsoft's Graphical Identification and Authentication (GINA) interception is a technique that malware uses to steal user credentials on Windows XP. -Microsoft's Graphical Identification and Authentication (GINA) interception is a library developed by Microsoft Research in 1999. It was originally intended as a way to easily instrument and extend existing OS and application functionality. -Graphical Identification and Authentication (GINA) interception is a technique that malware uses to modify registry information. -Graphical Identification and Authentication (GINA) interception is an x86 debugger; which provides the ability to analyze malware while it is running.
Microsoft's Graphical Identification and Authentication (GINA) interception is a technique that malware uses to steal user credentials on Windows XP.
What are some free-to-use sandboxes? -KALI, UBUNTU, RUBY, PYTHON, KMDO, and ORP. -No free-to-use sandboxes exist; however, they are very cheap to purchase. -Norman SandBox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, and -Comodo Instant Malware Analysis. -Penn-station, YLNO, EROC, elPrup, and GNUSMAS.
Norman SandBox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, and -Comodo Instant Malware Analysis.
To avoid problems, what do most people use to test malware on physical machines? -No tools exist to perform malware analysis on a physical machine. -Norton Ghost, a tool to manage backup images of their operating systems. -Windows restore, a tool to recover from OS crashes. -Any machine is perfectly suitable to perform malware tests.
Norton Ghost, a tool to manage backup images of their operating systems.
What is one of the biggest drawbacks of using virtual machine? -They aren't real machines, they live in Google cloud and they can be hacked by black hat hackers. -They only live in my ram at the moment I run the virtual machine. -They only allow you to perform snapshots after you have ran dangerous malware. -Once you revert to an old snapshot your work after that particular snapshot is lost.
Once you revert to an old snapshot your work after that particular snapshot is lost.
What does machine code consist of? -Firmware, decimal digits that tell the processor what you want it to do. -Digital logic, octal digits that tell the processor what you want it to do. -Opcodes, hexadecimal digits that tell the processor what you want it to do. -Bytecodes, binary digits that tell the processor what you want it to do.
Opcodes, hexadecimal digits that tell the processor what you want it to do.
What protocol do most Backdoors utilize? Group of answer choices Over port 80 using the HTTP protocol. Over port 8080 using the HTTPS protocol. Over port 443 using the FTP protocol. Over port 65535 using the NTP protocol.
Over port 80 using the HTTP protocol.
What is rebasing? -PE files are compiled to load at a preferred base address in memory, and if the Windows loader can't load it at its preferred address (because the address is already taken), the loader will perform an operation known as rebasing. -Rebasing is the process of creating programs at the high-level language level and using a compiler to generate machine code. -Rebasing is the process of converting hexadecimal to decimal. -Rebasing is the process of performing some static and dynamic analysis in order to evaluate how dangerous is the malware and what resources it might affect.
PE files are compiled to load at a preferred base address in memory, and if the Windows loader can't load it at its preferred address (because the address is already taken), the loader will perform an operation known as rebasing.
What should you do before bringing a machines network into the Internet? -Ask the professor, so he can evaluate how dangerous the malware is. -It doesn't matter; the malware already is able to reach the Internet on its own. -Perform some static and dynamic analysis in order to evaluate how dangerous the malware is and what resources it might affect. -Ask other students if their machines were infected.
Perform some static and dynamic analysis in order to evaluate how dangerous the malware is and what resources it might affect.
What is Process Explorer? -Process Explorer shows all the processes not running on a system. -Process explorer is another browser like Safari, windows explorer, and Firefox. -Process Explorer monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships. -Process Explorer is a tool that replaced Procmon, there is no use for procmon.
Process Explorer monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships.
What is Process replacement? -Process replacement involves allocating and inserting code into the memory space of a remote process. It uses many of the same Windows API calls as DLL injection. -Process replacement describes a way to load malware that takes advantage of Windows hooks, which are used to intercept messages destined for applications. -Process replacement is a form of process injection where a remote process is forced to load a malicious DLL; it is the most commonly used covert loading technique. -Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
Process replacement is used when a malware author wants to disguise malware as a legitimate process, without the risk of crashing a process through the use of process injection.
How is the "if" statement used? -The "if" statement is frequently used by malware authors to loop until a condition is met, such as receiving a packet or command. -The "if" statement adds two arguments and returns the result. The main function calls adder and prints the result using printf. -Programmers use if statements to alter program execution based on certain conditions. -"If" statements are used by programmers to define an ordered set of similar data items.
Programmers use if statements to alter program execution based on certain conditions.
What is Regshot? -Regshot is an open source registry tool that allows you to test malware into the school's website. -Regshot is pay-to-use registry comparison tool that allows you to modify registry. -Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. -Regshot is an open source registry deletion tool that allows you to delete registry entries made by malware.
Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots.
What is RAT? -Remote administration tool (RAT) is a type of malware that provides an attacker with remote access to a victim's machine. -Remote administration tool (RAT) is a type of malware that sets itself or another piece of malware for immediate or future covert execution. The goal is to set up things so that the malicious behavior is concealed from a user. -Remote administration tool (RAT) simply downloads another piece of malware from the Internet and execute it on the local system. It is often packaged with an exploit. It commonly uses the Windows API URLDownloadtoFileA, followed by a call to WinExec to download and execute the new malware. -Remote administration tool (RAT) is used to remotely manage a computer or computers. It is often used in targeted attacks with specific goals, such as stealing information or moving laterally across a network.
Remote administration tool (RAT) is used to remotely manage a computer or computers. It is often used in targeted attacks with specific goals, such as stealing information or moving laterally across a network.
What is Windows API type "callback" mean? -A 32-bit unsigned value. -A reference to an object. -A pointer to another type. -Represents a function that will be called by the Windows API.
Represents a function that will be called by the Windows API.
What is malware? -A software design approach to building software that utilizes entropy. -Special type of software created by hackers to play games -Software that causes detriment to the user, computer, or network. -Software that causes the hardware system to lay dormant for analysis.
Software that causes detriment to the user, computer, or network.
What does the arithmetic operations "%" do? -The "%" operation performs the modulo between the two variables, which is the remainder after performing a multiplication operation. -The "%" operation performs the multiplication between the two variables. -The "%" operation performs the division between the two variables. -The "%" operation performs the modulo between the two variables, which is the remainder after performing a division operation.
The "%" operation performs the modulo between the two variables, which is the remainder after performing a division operation.
What is the purpose of the "adder" function? -The function adder adds two arguments and returns the result. The main function calls adder and prints the result using printf. -Programmers use the adder function to alter program execution based on certain conditions. -The adder function is frequently used by malware authors to add until a condition is met, such as receiving a packet or command. -The adder is used by programmers to define an ordered set of similar data items
The function adder adds two arguments and returns the result. The main function calls adder and prints the result using printf.
Can malware run on any environment? -The sandbox environment OS will never be correct for the malware. -The sandbox environment OS will always be correct for the malware. -Yes, malware can run on any environment. -The sandbox environment OS may not be correct for the malware. For example, the malware might crash on Windows XP but run correctly in Windows 7.
The sandbox environment OS may not be correct for the malware. For example, the malware might crash on Windows XP but run correctly in Windows 7.
How is the file system function "ReadFile and WriteFile" used? -These function are used to create and open files. -These functions are used for reading and writing to files. -The "ReadFile and WriteFile" functions load a file from disk into memory. -Represents functions that will be called by the Windows API.
These functions are used for reading and writing to files.
What does the arithmetic operations "--, ++" do? -They are used to decrement by 1 and increment by 1, respectively. -They are used to increment by 1 and decrement by 1, respectively. -They are used to perform subtraction and addition between two variables, respectively. -They are used to perform addition and subtraction between two variables, respectively.
They are used to decrement by 1 and increment by 1, respectively.
What is APC? -Asynchronous procedure call (APC) is a library of Windows APIs. -Thread creation requires overhead, so it would be more efficient to invoke a function on an existing thread. This capability exists in Windows as the asynchronous procedure call (APC). -Asynchronous procedure call (APC) is a technique that malware uses to modify registry information. -Asynchronous procedure call (APC) is a function call to create a new thread.
Thread creation requires overhead, so it would be more efficient to invoke a function on an existing thread. This capability exists in Windows as the asynchronous procedure call (APC).
When should you take snapshot of your virtual machine? -Whenever I see something interesting and I feel like taking a selfie. -When there is an image I want to put on my lab report. -When I complete the OS installation, when I have installed the required tools for the examination, and after I run the analysis. -Every 5 minutes; no matter what I am doing on the machine.
When I complete the OS installation, when I have installed the required tools for the examination, and after I run the analysis.
How does static analysis differ from dynamic analysis? -dynamic analysis describes the process of analyzing hardware purely made with solid-state devices. -dynamic analysis is the process that the analyst performs without moving and mechanical parts. -When performing dynamic analysis, the analyst actually runs the program.
When performing dynamic analysis, the analyst actually runs the program.
How are dwThreadId used? -When targeting a specific dwThreadId, malware generally includes instructions for determining which system thread identifier to use, or it is designed to load into all threads. -When targeting a specific dwThreadId, malware generally includes instructions for determining which system thread identifier to use, or it is designed to load into specific threads.
When targeting a specific dwThreadId, malware generally includes instructions for determining which system thread identifier to use, or it is designed to load into all threads.
What is hashing? -a common method used to uniquely identify a file signature -what remains after a virus attack -a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware. -a numerical representation that only that particular file will generate.
a common method used to uniquely identify malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware.
Can IDA Pro use IDC and Python scripting? -Yes, only you created he script. -Yes, only after the $3000 optional plugin is purchased. -No, they run on different platforms. -Yes, without restrictions.
Yes, without restrictions.
Is it possible to modify disassembly in IDA PRO? -Yes, only between 3pm and 9pm everyday. -Yes, only from school owner machines. -Yes, without restrictions. -Yes, only if you have the original code.
Yes, without restrictions.
Which type of analysis reverse-engineers the malware's internals by loading the executable into a disassembler and looks at the program instructions in order to discover what the program does? -basic static analysis -advanced static analysis -advanced dynamic analysis -basic dynamic analysis
advanced static analysis
What two simple malware coding implementations for reverse shells on Windows using cmd.exe do attackers employ? -basic and multithreaded -simplified and multithreaded -basic and singlethreaded -advanced and multithreaded
basic and multithreaded
Which type of analysis consists of examining the executable file without viewing the actual instructions? -Advanced Dynamic Analysis -Basic dynamic analysis -advanced static analysis -basic static analysis
basic static analysis
What is virustotal.com? -generates a report of all the viruses that ever infected your machine -a tool that can be installed on any machine to protect from malware -generates viruses to infect unsuspecting individuals to teach them to secure their belongings -generates a report that provides the total number of engines that marked the file as malicious, the malware name, and, if available, additional information about the malware.
generates a report that provides the total number of engines that marked the file as malicious, the malware name, and, if available, additional information about the malware.
A worm that has repertoire of behavior patterns that are unleashed at different stages of propagation is called _________. -Semantic worms -metamorphic worms -intelligent worms -heuristic worms
metamorphic worms
What are obfuscated programs? -obscure and illegal programs that were downloaded from torrent website -those programs identified by antivirus programs as malicious -ones whose execution the malware author has attempted to hide.
ones whose execution the malware author has attempted to hide.
