****Introduction to malware analysis : introduction to malware, types of malware,

malware analysis,
types of malware analysis

What is malware?
a. Software designed to protect computers
*b. Software designed to harm or exploit computers
c. Software designed for data backup
d. Software designed for network optimization

Which of the following is NOT a type of malware?

a. Virus
*b. Firewall
c. Worm
d. Trojan

What is the main purpose of malware analysis?

a. To create new malware
*b. To understand and mitigate the impact of malware
c. To sell malware in the dark web
d. To improve computer performance

Which of the following is a type of malware that spreads through infected email
attachments?
a. Trojan
b. Worm
c. Adware
*d. Spyware

What is a characteristic of a virus?

*a. Requires a host program to execute
b. Spreads through email attachments
c. Encrypts files for ransom
d. Displays unwanted advertisements

Which type of malware disguises itself as a legitimate program to deceive users?

a. Worm
*b. Trojan
c. Spyware
d. Ransomware

What is the purpose of static malware analysis?

a. To analyze the behavior of malware in a controlled environment
*b. To examine the code and structure of malware without executing it
c. To track the spread of malware in real-time
d. To simulate malware attacks on a network

Dynamic malware analysis involves:

a. Analyzing malware code without executing it
*b. Running malware in a controlled environment and observing its behavior
c. Monitoring malware on infected systems in real-time
d. Scanning files for known malware signatures

What is a honeypot in the context of malware analysis?

a. A sweet treat for malware authors
*b. A trap set to detect, deflect, or counteract attempts at unauthorized use
c. A type of malware that mimics honeybee behavior
d. A secure storage facility for malware samples
Which type of malware is specifically designed to spread rapidly across a network?
a. Adware
*b. Worm
c. Rootkit
d. Keylogger

What is the purpose of sandboxing in malware analysis?

*a. To analyze malware behavior in an isolated environment
b. To create a secure backup of infected systems
c. To hide malware from detection
d. To encrypt sensitive data on the system

Which type of malware is known for delivering unwanted advertisements to users?

a. Spyware
*b. Adware
c. Ransomware
d. Rootkit

What is polymorphic malware?

*a. Malware that can change its code
b. Malware designed for social engineering attacks
c. Malware that targets specific industries
d. Malware that spreads through physical media

1. Which of the following is NOT a common characteristic of malware?

a) Self-replication
b) Data encryption
c) System resource consumption
*d) User awareness

2. What does the term "malware" stand for?

a) Malicious Hardware
*b) Malicious Software
c) Malicious Activity
d) Malicious Web Access

3. Which type of malware is designed to appear legitimate but perform malicious

actions?

a) Virus
b) Worm
*c) Trojan Horse
d) Spyware

4. What is the primary focus of static malware analysis?

a) Observing the behavior of the malware

*b) Examining the code and structure of the malware
c) Analyzing the network traffic generated by the malware
d) Studying the social engineering tactics used by the malware

5. Which type of malware can spread independently without user interaction?

a) Virus
*b) Worm
c) Trojan Horse
d) Ransomware
6. What is the process of identifying and understanding the purpose and
capabilities of malware called?

a) Malware detection
*b) Malware analysis
c) Malware remediation
d) Malware prevention

7. What is dynamic malware analysis used for?

*a) To study the behavior of malware in a controlled environment

b) To identify specific signatures of the malware
c) To disinfect infected systems
d) To educate users about cyber security threats

8. Which of the following is NOT a common tool used for malware analysis?

a) Disassembler
b) Sandboxing environment
*c) Antivirus software
d) Network traffic analyzer

9. What is the main purpose of using a sandbox for malware analysis?

*a) To isolate the malware from the analyst's system

b) To learn about the social engineering tactics used by the malware
c) To identify the vulnerabilities exploited by the malware
d) To reverse engineer the code of the malware

10. What are the different stages of the malware analysis process typically divided
into?

*a) Collection, Analysis, Reporting, Remediation

b) Detection, Containment, Eradication, Recovery
c) Identification, Exploitation, Mitigation, Prevention
d) Planning, Scanning, Analysis, Response

11. What is the difference between static and dynamic malware analysis?

*a) Static analysis analyzes the code, while dynamic analysis analyzes the
behavior.
b) Static analysis is faster, while dynamic analysis is more accurate.
c) Static analysis requires a sandbox, while dynamic analysis does not.
d) Static analysis is used for initial screening, while dynamic analysis is used
for in-depth investigation.

12. What are the ethical considerations involved in malware analysis?

a) Avoiding illegal activities, protecting user privacy, and respecting

intellectual property.
b) Ensuring network security, maintaining confidentiality, and reporting
vulnerabilities responsibly.
c) Using proper disposal methods for infected systems, following best practices for
data protection, and collaborating with security professionals.
*d) All of the above.

13. What are the benefits of learning about malware analysis?

a) To understand how to protect yourself from cyber threats.
b) To develop skills for identifying and mitigating malware attacks.
c) To contribute to the development of new security solutions.
*d) All of the above.

14. Which of the following statements is FALSE about malware analysis?

s
a) It is a complex and risky process that requires specialized skills.
*b) It is only necessary for security researchers and professionals.
c) It can help improve overall computer security posture.
d) It involves understanding various types of malware and their behavior.

15. What are some of the challenges associated with malware analysis?

a) Difficulty in keeping up with the evolving nature of malware threats.

b) Dealing with obfuscated and packed malware.
c) Balancing the need for thorough analysis with the risk of system infection.
*d) All of the above.

***Static Analysis : determining file type, fingerprinting malware, multiple anti-

virus scanning,
extracting strings, determining file obfuscation, Inspecting PE header information,
Comparing and
classifying malware

Which of the following techniques is NOT typically used in static analysis for
malware detection:
a) Determining file type based on magic bytes
b) Extracting embedded strings from the file
*c) Executing the file in a sandbox environment
d) Comparing file characteristics with known malware signatures

Which of the following file formats is most commonly associated with malware:
a) JPEG image
b) PDF document
c) ZIP archive
*d) EXE executable

What is the purpose of fingerprinting malware during static analysis?

a) To identify the specific vendor of the malware
*b) To create a unique identifier based on its characteristics
c) To determine the intended target platform of the malware
d) To automatically remove the malware from the infected system

What is the main advantage of using multiple anti-virus scanners during static
analysis?
a) It reduces the processing time required for analysis.
*b) It increases the accuracy of malware detection.
c) It allows for the identification of specific malware variants.
d) It simplifies the process of analyzing complex malware samples.

How can determining file obfuscation techniques be helpful in static analysis?

*a) It reveals the original functionality of the malware.
b) It indicates the presence of specific malware families.
c) It bypasses the need for extracting embedded strings.
d) It allows for direct execution of the file in a safe environment.

What information can be obtained by inspecting the PE header of a Windows

executable file?
a) The file size and creation date
*b) The list of imported libraries and functionss
c) The encryption algorithm used by the malware
d) The specific operating system the malware targets

What is the primary goal of comparing and classifying malware during static
analysis?
a) To identify potential vulnerabilities in the target system
b) To develop a signature for future detection by anti-virus software
*c) To understand the capabilities and behavior of the malware sample
d) To automatically remediate the system infected with the malware

Which of the following tools is NOT commonly used for static analysis of malware:
a) IDA Pro
b) VirusTotal
*c) Cuckoo Sandbox
d) ClamAV

What are the limitations of relying solely on static analysis for malware
detection?
a) It cannot detect zero-day attacks.
b) It requires significant expertise to interpret the results.
c) It can be bypassed by advanced malware packing techniques.
*d) All of the above

How can static analysis be combined with other security measures for a more
comprehensive defense against malware?
a) By implementing network segmentation to isolate infected systems.
b) By regularly updating software and applying security patches.
c) By deploying intrusion detection and prevention systems.
*d) All of the above

***Dynamic Analysis : dynamic analysis steps, analysing malware, DLL analysis

Which of the following is NOT a common type of sandbox environment used for dynamic
analysis?
a) Sandbox with network connectivity
b) Bare-metal sandbox
c) Virtualized sandbox
*d) Static analysis sandbox

When performing dynamic analysis, what is the primary reason for monitoring network
activity?
*a) To identify communication channels used by the malware
b) To update the malware with the latest attack signatures
c) To analyze the efficiency of the malware's code
d) To determine the file size and creation date

What is the purpose of analyzing DLLs during dynamic analysis of malware?

*a) To identify potential vulnerabilities in the loaded libraries
b) To extract embedded strings from the DLLs for further analysis
c) To determine the specific programming language used by the malware
d) To verify the digital signature of the DLLs

Which of the following can be a telltale sign of malicious behavior observed during
dynamic analysis?
a) The malware attempts to access system resources like the registry
*b) The malware modifies system configuration files
c) The malware displays a user interface with legitimate functionality
d) The malware requires an internet connection to function

What is a benefit of combining dynamic analysis with static analysis for malware
detection?
a) It reduces the overall analysis time and resource consumption.
*b) It provides a more comprehensive understanding of the malware's behavior and
structure.
c) It eliminates the need for human expertise in interpreting the results.
d) It allows for automatic removal of the malware from infected systems.

What is a potential challenge associated with interpreting the results of dynamic

analysis?
*a) The large amount of data generated can be overwhelming to analyze.
b) The malware might intentionally trigger false positives in the analysis tools.
c) Dynamic analysis is always successful in detecting any type of malware.
d) Static analysis provides a more reliable approach for malware detection.

What is a key consideration when choosing a sandbox environment for dynamic

analysis?
a) The ease of use and user-friendly interface
*b) The level of isolation and security provided by the environment
c) The compatibility with specific operating systems and hardware platforms
d) The ability to run the malware without any modifications

How can dynamic analysis be used to improve the effectiveness of signature-based

malware detection?
a) By identifying unique patterns in the malware's network traffic
b) By extracting specific strings from the malware's code
*c) By observing the malware's interactions with system resources
d) By analyzing the file size and creation date of the malware

What is a limitation of dynamic analysis in the context of malware detection?

a) It requires a significant amount of time and resources to conduct the analysis.
b) It is only effective for analyzing specific types of malware families.
*c) It cannot detect malware that is specifically designed to evade sandboxes.
d) All of the above

How can dynamic analysis be helpful in malware research and development?

a) By studying the techniques used by existing malware to create more sophisticated
variants.
b) By testing the effectiveness of newly developed security patches and mitigation
strategies.
c) By identifying vulnerabilities in software applications through observation of
malware exploitation.
*d) All of the above

*** Assembly language and disassembly primer : introduction to assembly language

basics,
registers, data transfer instructions, arithmetic operations, bitwise operations,
branching and
conditionals,, loops and Functions, arrays and strings, structures and x64
architecture

Which of the following best describes assembly language?

a) High-level programming language
*b) Low-level programming language
c) Markup language
d) Scripting language

What are registers in assembly language?

*a) Temporary storage locations within the CPU
b) Permanent storage locations on the hard disk
c) Output devices
d) Input devices

Which instruction in assembly language is used to move data from one register to
another?
a) ADD
b) SUB
*c) MOV
d) JMP

What is the purpose of arithmetic operations in assembly language?

a) To compare values
*b) To perform mathematical calculations
c) To control program flow
d) To transfer data between registers

Which bitwise operation in assembly language sets a bit to 1 if it is not already

set?
a) AND
b) OR
c) XOR
*d) NOT

What is branching in assembly language?

*a) The process of transferring control to another part of the program
b) The process of adding two numbers
c) The process of multiplying two numbers
d) The process of dividing two numbers

How are loops implemented in assembly language?

*a) Using conditional jumps
b) Using arithmetic operations
c) Using bitwise operations
d) Using function calls

What is the purpose of functions in assembly language?

a) To define data structures
b) To store constants
*c) To group related instructions
d) To perform input/output operations

In assembly language, what is an array?

*a) A collection of related data items stored at contiguous memory locations
b) A group of instructions executed sequentially
c) A list of function calls
d) A set of conditional statements

What is a string in assembly language?

*a) A sequence of characters stored in memory
b) A type of loop
c) A type of function
d) A conditional statement
How are structures represented in assembly language?
a) By defining data types
b) By using labels
*c) By grouping related data items
d) By using conditional jumps

Which architecture uses x64 instruction set?

a) 16-bit architecture
b) 32-bit architecture
*c) 64-bit architecture
d) 128-bit architecture

Which register is commonly used to hold the return address of a function in x64
architecture?
a) RAX
b) RBX
c) RSP
**d) RIP

How are function parameters passed in x64 architecture?

a) Using the stack
*b) Using registers
c) Using arrays
d) Using strings

What is the purpose of the RDI register in x64 architecture?

a) It holds the return address
*b) It holds the base address of the source operand in memory operations
c) It holds the destination operand in memory operations
d) It holds the result of arithmetic operations

Which assembly language instruction is used to add two numbers?

a) SUB
*b) ADD
c) MOV
d) CMP

What is the primary function of the CMP instruction in assembly language?

*a) To compare two numbers
b) To move data between registers
c) To perform bitwise operations
d) To branch to a different part of the program

In assembly language, which register is commonly used as a counter in loops?

a) RAX
b) RDI
*c) RCX
d) RSP

%rax: A temporary register and return value register

%rbx: A callee-saved register
%rcx: A scratch register that can be used for temporary values, or to pass the
fourth argument to functions
%rdx: A scratch register that can be used for temporary values, or to pass the
third argument to functions

What does the XOR instruction do in assembly language?

a) Adds two numbers
b) Subtracts two numbers
*c) Performs a bitwise XOR operation
d) Compares two numbers

What is the purpose of the JZ instruction in assembly language?

*a) To jump if zero flag is set
b) To jump if zero flag is not set
c) To jump if carry flag is set
d) To jump if carry flag is not set

How are function calls implemented in assembly language?

*a) Using the CALL instruction
b) Using the JMP instruction
c) Using the RET instruction
d) Using the PUSH and POP instructions

Which assembly language instruction is used to multiply two numbers?

a) MUL
b) DIV
*c) IMUL
d) IDIV

In assembly language, what is the role of the FLAGS register?

a) It holds the result of arithmetic operations
b) It stores the address of the next instruction to be executed
*c) It indicates the status of the CPU after an operation
d) It holds the return address of a function call

What is the purpose of the LEA instruction in assembly language?

a) To load a value from memory into a register
b) To store a value from a register into memory
c) To perform arithmetic operations
*d) To compute the effective address of a memory operand

How are conditional statements implemented in assembly language?

*a) Using the CMP and JZ instructions
b) Using the CALL instruction
c) Using the MOV instruction
d) Using the RET instruction

Which assembly language instruction is used to perform a logical AND operation?

*a) AND
b) OR
c) XOR
d) NOT

What is the purpose of the PUSH and POP instructions in assembly language?
a) To add and subtract two numbers
*b) To push data onto the stack and pop data from the stack
c) To perform bitwise operations
d) To move data between registers

How are labels used in assembly language?

a) To define macros
*b) To mark the beginning or end of a block of code
c) To store constants
d) To perform input/output operations

What is the role of the ESI register in assembly language?

*a) It holds the source index for string operations
b) It holds the destination index for string operations
c) It holds the base address of the source operand in memory operations
d) It holds the base address of the destination operand in memory operations

Which instruction is used to perform a division operation in assembly language?

a) DIV
b) MUL
*c) IDIV
d) IMUL

*** Disassembly using IDA : static code analysis, dissembling Windows API
Debugging malicious Binaries : general concepts of debugging, debugging binaries

Which of the following is a primary step in static code analysis using IDA Pro?
a) Running the code and observing behavior
b) Debugging the code with breakpoints
*c) Analyzing the compiled code without executing it
d) Injecting additional code into the binary

What is the purpose of disassembling Windows API functions in malware analysis?

a) To modify the Windows operating system
*b) To understand how malware interacts with system functions
c) To encrypt the malware binary
d) To increase the size of the executable file

In the context of debugging, what does a breakpoint allow?

*a) It halts the execution of the program at a specific point
b) It speeds up the execution of the program
c) It hides the execution of the program from the debugger
d) It changes the behavior of the program at runtime

Which of the following is a general concept of debugging?

a) Analyzing static code
b) Identifying vulnerabilities
*c) Observing dynamic behavior
d) Encrypting binary files

What is the purpose of debugging binaries in malware analysis?

a) To increase the complexity of the malware
*b) To identify and understand the behavior of malicious code
c) To delete system files
d) To encrypt network traffic

What is the primary function of IDA Pro in disassembling binaries?

a) Identifying vulnerabilities in the code
b) Converting assembly code into high-level languages
*c) Analyzing and understanding the structure and behavior of compiled programs
d) Modifying the behavior of running processes

When debugging a binary, what does stepping through code involve?

a) Running the program without interruption
b) Analyzing the assembly instructions
*c) Executing the program one instruction at a time
d) Observing the output of the program

Which debugger is commonly used for debugging malicious binaries on the Windows
platform?
a) GDB
*b) WinDbg
c) LLDB
d) OllyDbg

What information can be obtained from debugging a malicious binary?

a) The source code of the malware
b) The author's identity
*c) The behavior of the malware and its interactions with the system
d) The decryption key of the malware

In IDA Pro, what is the purpose of the graph view?

a) To display the assembly instructions in a linear format
*b) To visualize the control flow of the disassembled code
c) To analyze the behavior of the malware in real-time
d) To generate new code for the binary

In IDA Pro, what does the "Cross References" feature display?

a) References to memory addresses outside the binary
*b) References to other functions or data within the binary
c) References to online resources related to the binary
d) References to hardware components connected to the system

Which type of analysis is primarily conducted during static code analysis?

a) Analyzing the behavior of the program during runtime
*b) Analyzing the code without executing it
c) Analyzing network traffic generated by the program
d) Analyzing the behavior of the program after execution

What is the purpose of dynamic analysis in malware analysis?

a) To analyze the code without executing it
*b) To analyze the behavior of the malware during runtime
c) To analyze the structure of the binary file
d) To analyze the network traffic generated by the malware

Which debugger feature allows the user to examine and modify the contents of
memory?
*a) Memory view
b) Register view
c) Disassembly view
d) Breakpoint view

What does the term "unpacking" refer to in malware analysis?

a) Repacking the malware binary to avoid detection
*b) Decompressing and decrypting the malware binary to reveal its original code
c) Packing additional functionality into the malware binary
d) Moving the malware binary to a different location in memory

Which debugging technique involves stepping backward through the program's

execution?
a) Forward tracing
*b) Backward tracing
c) Reverse engineering
d) Code refactoring

What is the purpose of analyzing the call stack during debugging?

*a) To track the execution flow of the program
b) To identify the author of the malware
c) To modify the behavior of the malware
d) To generate new code for the binary

Which tool is commonly used for dynamic analysis of malware on the Windows
platform?
a) IDA Pro
b) Ghidra
c) Wireshark
*d) Process Explorer

What is the primary goal of debugging malicious binaries?

a) To modify the behavior of the malware
*b) To understand the functionality and behavior of the malware
c) To increase the size of the binary
d) To encrypt network traffic generated by the malware

*** Malware functionalities and persistence : malware functionalities, malware

persistence methods
Code Injection and Hooking : virtual memory, user mode and kernel mode, code
injection
techniques, hooking techniques

What is the primary objective of malware once it infects a system?

a) To speed up system performance
b) To enhance system security
*c) To carry out the attacker's intentions
d) To help the user with daily tasks

Which of the following is a common functionality of ransomware?

a) Monitoring user activity
*b) Encrypting user files
c) Displaying advertisements
d) Redirecting web traffic

How does spyware typically collect and transmit user information?

a) By encrypting files
*b) By monitoring keystrokes and screen captures
c) By defragmenting the hard drive
d) By installing additional software

What distinguishes a Trojan horse from other types of malware?

a) It replicates itself
*b) It disguises itself as legitimate software
c) It encrypts files
d) It redirects web traffic

What is a rootkit, and how does it help malware maintain persistence on a system?
a) A tool to optimize system performance
*b) A method for hiding the presence of malware
c) A software for updating drivers
d) A program to clean the registry

Which registry key is commonly modified by malware to ensure persistence?

*a) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
b) HKEY_CLASSES_ROOT\DefaultIcon
c) HKEY_CURRENT_USER\Control Panel\Desktop
d) HKEY_USERS.DEFAULT\Control Panel\Keyboard

How do scheduled tasks aid in malware persistence?

a) By defragmenting the hard drive regularly
*b) By running the malware at predetermined times
c) By improving system performance
d) By creating backup copies of files

What is DLL hijacking in the context of malware persistence?

*a) Replacing a system DLL with a malicious one
b) Deleting system DLLs
c) Compressing DLL files
d) Encrypting DLL files

Code Injection and Hooking

How does virtual memory work in modern operating systems?
a) It stores all files in the cloud
*b) It extends RAM onto the hard disk
c) It compresses files to save space
d) It encrypts data for security

What are memory-mapped files, and how can they be exploited for code injection?
*a) Files mapped to RAM for faster access
b) Files compressed to save disk space
c) Files stored in the cloud for remote access
d) Files encrypted for security

Differentiate between user mode and kernel mode in the context of operating system
security.
a) User mode has higher privileges than kernel mode
*b) Kernel mode has higher privileges than user mode
c) Both have the same level of privileges
d) Neither has any privileges

What is process hollowing, and how is it used in code injection attacks?

a) Creating a new process to run malware
*b) Hiding malware within a legitimate process
c) Deleting system files to create space
d) Compressing executable files

Which technique is commonly used in DLL injection?

a) Loading a legitimate DLL file
b) Replacing a function within a process's memory space
c) Running malware as a separate process
*d) Injecting malicious code into a DLL file

What are code caves, and how can they be utilized for code injection?
a) Large files stored on a system
*b) Unused spaces within an executable file
c) System directories with hidden files
d) Encrypted sections of the hard drive

What is API hooking, and how is it implemented?

a) Modifying the source code of an application
*b) Intercepting calls to system functions
c) Deleting system files
d) Encrypting API calls

Which type of malware is designed to provide unauthorized access to a computer?

a) Adware
b) Spyware
*c) Backdoor
d) Ransomware

How does a keylogger typically capture information?

a) By recording audio
b) By taking screenshots
*c) By logging keystrokes
d) By monitoring network traffic

What is the primary function of a botnet?

a) To encrypt user files

b) To mine cryptocurrency
*c) To launch coordinated attacks
d) To redirect web traffic

Which technique do some malware use to avoid detection by antivirus software?

a) Code optimization
*b) Polymorphism
c) System updates
d) File compression

What is the purpose of a dropper in malware distribution?

a) To create a backup of files

b) To clean the system registry
*c) To deliver and install other malicious components
d) To optimize system performance

How does malware commonly use the Windows Management Instrumentation (WMI) for
persistence?

a) By modifying system drivers

*b) By creating WMI event subscriptions
c) By encrypting system files
d) By disabling firewall settings

Which method is often used by malware to hide its processes on a system?

**a) Using rootkits

b) Deleting system logs
c) Compressing executable files
d) Creating duplicate processes

What is process injection, and how is it used by malware?

*a) Injecting code into another process’s memory space

b) Modifying system registry entries
c) Encrypting files in the system directory
d) Deleting temporary files

Code Injection and Hooking

Which system call is commonly hooked by malware to intercept and alter file system
operations?

**a) CreateFile
b) OpenProcess
c) VirtualAlloc
d) ReadFile

What is the primary purpose of code injection attacks?

a) To improve system performance

b) To add new features to software
*c) To execute arbitrary code within another process
d) To remove malicious software

Which of the following is a common method for injecting code into a remote process?

*a) DLL Injection

b) File compression
c) System restore
d) Disk defragmentation

What is the main goal of hooking techniques in malware?

a) To improve application functionality

*b) To intercept and alter API calls
c) To update software regularly
d) To remove system files

In the context of malware, what does the term "Reflective DLL Injection" refer to?

a) Injecting DLLs that reflect system status

*b) Injecting DLLs directly into the memory of a process without using the Windows
loader
c) Reflecting malware activities in the system logs
d) Encrypting DLL files before injection

Which memory allocation function is frequently used in code injection attacks to

allocate memory in a target process?

a) GlobalAlloc
b) LocalAlloc
*c) VirtualAllocEx
d) HeapAlloc

What is the purpose of API hooking in malware?

*a) To intercept function calls and potentially alter their behavior

b) To clean up temporary files
c) To optimize system performance
d) To update software automatically

Malware Obfuscation Techniques : simple encoding, malware encryption, custom

encoding,
malware unpacking

What is the primary purpose of simple encoding in malware?

*a) To hide the malware's presence on the system
b) To make the malware easier to analyze
c) To increase the malware's performance
d) To make the malware's behavior more predictable

Which of the following is NOT a common form of simple encoding used in malware?
a) Base64 encoding
b) XOR encoding
*c) RSA encryption
d) ASCII encoding

Malware encryption is primarily used for:

a) Increasing the size of the malware
*b) Making the malware's code unreadable
c) Decreasing the malware's performance
d) Enhancing the malware's compatibility

Custom encoding in malware involves:

a) Using pre-defined encoding algorithms
*b) Creating unique encoding algorithms
c) Utilizing open-source encoding libraries
d) None of the above

What is the main drawback of custom encoding for malware authors?

*a) Increased complexity
b) Decreased stealthiness
c) Limited obfuscation capabilities
d) Higher chance of detection

Malware unpacking refers to:

a) Compressing the malware code
b) Decrypting the malware payload
*c) Extracting the malware from a container
d) Encoding the malware's behavior

Which obfuscation technique is often used to hide the true behavior of malware from
security analysts?
a) Simple encoding
*b) Malware encryption
c) Custom encoding
d) Malware unpacking

Which obfuscation technique is most effective in disguising the malicious intent of

the code?
a) Simple encoding
b) Malware encryption
*c) Custom encoding
d) Malware unpacking

Which obfuscation technique is primarily focused on making the malware's code

unreadable?
a) Simple encoding
*b) Malware encryption
c) Custom encoding
d) Malware unpacking

Which obfuscation technique can significantly increase the complexity of malware

analysis?
a) Simple encoding
b) Malware encryption
*c) Custom encoding
d) Malware unpacking

Which encoding technique is commonly used to convert binary data into a printable
format?
*a) Base64 encoding
b) XOR encoding
c) RSA encryption
d) MD5 hashing

Malware encryption is typically achieved using which type of algorithms?

*a) Symmetric encryption
b) Asymmetric encryption
c) Hashing algorithms
d) Compression algorithms

Which obfuscation technique is most likely to increase the size of the malware
binary?
a) Simple encoding
b) Malware encryption
*c) Custom encoding
d) Malware unpacking

Which obfuscation technique can make static analysis of malware more challenging?
a) Simple encoding
*b) Malware encryption
c) Custom encoding
d) Malware unpacking

Which obfuscation technique is often employed to evade signature-based detection

mechanisms?
a) Simple encoding
b) Malware encryption
*c) Custom encoding
d) Malware unpacking

Which of the following is NOT a common technique used to evade dynamic analysis of
malware?
a) Time delays
b) Sandbox detection
c) API hooking
*d) Malware unpacking

What is the purpose of using anti-debugging techniques in malware?

a) To prevent the malware from executing on virtual machines
*b) To hinder reverse engineering attempts by security analysts
c) To increase the speed of malware execution
d) To encrypt the malware payload

Which of the following is an example of a polymorphic malware?

a) Ransomware
b) Rootkit
c) Trojan horse
**d) Virus

What role do packers play in malware obfuscation?

a) They compress the malware code to reduce its size
**b) They obfuscate the malware to evade detection
c) They encrypt the malware payload to hide its behavior
d) They decode the malware during execution

Which obfuscation technique involves altering the control flow of the malware code
to make it harder to analyze?
a) Code packing
**b) Control flow obfuscation
c) Data obfuscation
d) Code obfuscation

What is the purpose of using junk code in malware obfuscation?

a) To increase the size of the malware binary
*b) To confuse security analysts by introducing irrelevant code
c) To slow down the execution of the malware
d) To enhance the functionality of the malware

Which of the following is NOT a commonly used malware obfuscation technique?

a) Protocol obfuscation
b) Domain generation algorithms (DGAs)
**c) Code signing
d) API obfuscation

Which obfuscation technique involves embedding encrypted or obfuscated strings

within the malware code?
**a) String encryption
b) Data obfuscation
c) Code packing
d) Function renaming

What is the primary goal of malware authors when employing obfuscation techniques?
a) To increase the performance of the malware
b) To make the malware easier to detect by security tools
*c) To make the malware more difficult to analyze and reverse engineer
d) To minimize the size of the malware binary

Which obfuscation technique involves modifying the metadata of executable files to

evade detection?
a) File packing
*b) Metadata manipulation
c) Binary patching
d) Code obfuscation

**** Hunting Malware using Malware Forensics : memory forensics steps, memory
acquisition,
volatility overview, enumerating processes, listing process handles, dumping
executable and DLL,
listing network connections and Sockets, inspecting registry, investigating
service, extracting
command history, listing DLL’s

What is the first step in memory forensics?

a) Memory analysis
*b) Memory acquisition
c) Dumping executables
d) Listing DLLs

Which tool is commonly used for memory acquisition in forensic investigations?

a) Wireshark
b) Volatility
*c) FTK Imager
d) Autopsy
What is the primary purpose of memory acquisition?
a) To modify system memory
*b) To capture the current state of system memory for analysis
c) To erase all memory content
d) To speed up the computer

Volatility is primarily used for:

a) Network traffic analysis
b) Disk imaging
*c) Memory forensics
d) File recovery

Which Volatility plugin is used to enumerate all running processes?

*a) pslist
b) netscan
c) handles
d) dlllist

How can you list the handles opened by a specific process using Volatility?
a) Using the 'pslist' plugin
**b) Using the 'handles' plugin
c) Using the 'dlllist' plugin
d) Using the 'cmdscan' plugin

Which Volatility plugin would you use to dump the executable of a running process?
a) memdump
**b) procexedump
c) malfind
d) filescan

To investigate network connections and sockets in memory, which Volatility plugin

should you use?
a) pslist
**b) netscan
c) connscan
d) sockscan

What can the 'printkey' plugin in Volatility be used for?

a) Inspecting open network connections
b) Listing active processes
*c) Inspecting registry keys
d) Dumping process memory

To investigate services running on a system, which Volatility plugin is most

useful?
*a) svcscan
b) pslist
c) netscan
d) cmdscan

How can command history be extracted from a memory dump using Volatility?
*a) Using the 'cmdscan' plugin
b) Using the 'svcscan' plugin
c) Using the 'printkey' plugin
d) Using the 'dlllist' plugin

Which plugin would you use to list all DLLs loaded by a specific process in
Volatility?
*a) dlllist
b) psscan
c) connscan
d) handles

Which of the following is NOT a step in the memory forensics process?

a) Memory acquisition
*b) Memory wiping
c) Memory analysis
d) Report generation

What is the primary goal of enumerating processes in memory forensics?

a) To increase system performance
*b) To identify malicious or suspicious processes
c) To backup system files
d) To delete unnecessary processes

Which Volatility plugin can help identify hidden or unlinked processes?

**a) psscan
b) pslist
c) svcscan
d) netscan

Which Volatility plugin can be used to identify processes that have been hidden by
rootkits?
a) pslist
b) hivelist
*c) psscan
d) connscan

What does the Volatility 'malfind' plugin do?

a) Lists all network connections
*b) Scans for malware artifacts in memory
c) Lists open files and file handles
d) Lists active DLLs for each process

To analyze the memory of a Windows system, which memory format is typically used?
**a) .img
b) .raw
c) .vmdk
d) .dd

Which Volatility plugin would you use to list open files and network sockets for a
specific process?
a) filescan
b) netscan
**c) handles
d) lsof

What is the purpose of the Volatility 'imageinfo' plugin?

a) To dump the process memory
*b) To gather information about the memory image
c) To list loaded modules
d) To list all running processes

How can you determine the OS version and service pack level from a memory dump
using Volatility?
a) Using the 'pslist' plugin
*b) Using the 'imageinfo' plugin
c) Using the 'dlllist' plugin
d) Using the 'svcscan' plugin

Which Volatility plugin can help you recover command history from a Command Prompt
session?
*a) cmdscan
b) consoles
c) cmdline
d) shellbags

To inspect the contents of a specific registry hive in memory, which Volatility

plugin would you use?
a) hivelist
b) hiveinfo
**c) printkey
d) regdump

Which of the following is NOT a typical use of memory forensics?

a) Detecting hidden processes
b) Analyzing system uptime
c) Recovering encryption keys
*d) Modifying the file system

What type of information can be obtained by listing process handles in memory

forensics?
a) Active network connections
*b) Open files, registry keys, and other resources used by processes
c) Loaded DLLs and modules
d) Command history

The 'modscan' plugin in Volatility is used to:

a) List active network connections
*b) Scan for loaded kernel modules
c) List open files and handles
d) Scan for malware signatures

Which plugin in Volatility would you use to extract and analyze clipboard contents?
*a) clipboard
b) cliphist
c) clipboarddata
d) clipdump

In Volatility, what is the 'procdump' plugin used for?

a) To list all processes
*b) To dump the memory of a specific process
c) To list DLLs used by a process
d) To scan for hidden processes

What does the Volatility 'shellbags' plugin analyze?

a) Command history
**b) Recently accessed directories in Windows Explorer
c) Network connections
d) Open file handles

To analyze the system time and uptime from a memory dump, which Volatility plugin
would you use?
a) timeliner
*b) uptime
c) clockscan
d) systime
***Detecting advanced malware using memory forensics : detecting code injection,
investigating
hollow process injection, detecting API hooks, kernel mode rootkits, listing kernel
modules, I/O
processing, display device tress, detecting kernel space hooking, kernel call-backs
and timers

Which technique involves injecting malicious code into a legitimate process to

evade detection?
a) Code obfuscation
*b) Code injection
c) Memory acquisition
d) Process hollowing

What is the primary goal of process hollowing in malware attacks?

a) To increase the performance of the malware
b) To inject code into a system driver
*c) To replace the memory of a legitimate process with malicious code
d) To encrypt malware payloads

Which Volatility plugin can be used to detect process hollowing?

*a) hollowfind
b) pslist
c) procexedump
d) psscan

Detecting API hooks is important for identifying:

a) Hidden files
*b) Modified system calls
c) Open network connections
d) Encrypted payloads

Which Volatility plugin can help identify user-mode API hooks?

*a) apihooks
b) malfind
c) handles
d) dlllist

Kernel mode rootkits operate at which level of the operating system?

a) User level
b) Application level
*c) Kernel level
d) Network level

Which Volatility plugin can be used to list loaded kernel modules?

a) modules
*b) modscan
c) kdbgscan
d) filescan

What is the purpose of examining I/O processing in memory forensics?

a) To identify active network connections
*b) To detect malware hiding in device drivers
c) To list open files
d) To analyze registry keys

Displaying the device tree in memory forensics helps to:

a) Identify hidden processes
b) Analyze network traffic
*c) Visualize the hierarchy of system devices and drivers
d) Detect code injections

Kernel space hooking involves:

a) Modifying user-mode API calls
b) *Altering kernel-mode functions and data structures
c) Injecting code into system processes
d) Encrypting kernel modules

Which Volatility plugin can detect hooks in kernel-mode functions?

a) apihooks
b) modscan
*c) khooks
d) kdbgscan

Kernel call-backs and timers are often used by malware to:

a) Enhance system performance
*b) Maintain persistence and execute code at specific intervals
c) Encrypt data
d) Monitor network traffic

Which of the following techniques is used to detect kernel-mode rootkits?

a) API monitoring
b) Process injection
*c) Kernel memory analysis
d) Network scanning

Which tool or plugin can help detect code injection in memory forensics?
*a) malfind
b) filescan
c) procdump
d) netscan

Why is detecting kernel-space hooking crucial in malware forensics?

a) It reveals network activity
b) It shows hidden processes
*c) It identifies alterations to critical system functions
d) It lists open files

Which memory forensic tool can be used to analyze the memory image of a compromised
system to detect code injection?
a) FTK Imager
b) Autopsy
*c) Volatility
d) Wireshark

The primary indicator of a hollow process in memory forensics is:

a) Multiple network connections
*b) Mismatched image file name and memory image
c) High CPU usage
d) Large number of open files

Which technique can malware use to avoid detection by modifying the system call
table in kernel space?
a) User-mode hooking
*b) Kernel-mode hooking
c) Process hollowing
d) API injection

What does the Volatility 'driverirp' plugin analyze?

a) Process memory dumps
*b) Interrupt Request Packets (IRPs) of drivers
c) Open network connections
d) Loaded DLLs

Which Volatility plugin can you use to detect malicious modifications in system
call handlers?
*a) ssdt
b) psxview
c) modscan
d) sockscan

Why is examining kernel timers and call-backs important in malware forensics?

a) They reveal hidden files
*b) They provide insights into persistent mechanisms used by malware
c) They list all running processes
d) They display network activity

How can kernel-mode rootkits maintain persistence on a compromised system?

a) By modifying user-mode applications
*b) By altering kernel data structures and hooking functions
c) By encrypting files on the system
d) By injecting code into browser processes

Which Volatility plugin would you use to identify hidden processes by comparing
multiple process listings?
a) psscan
*b) psxview
c) pslist
d) malfind

What is the purpose of the Volatility 'callbacks' plugin?

a) To list active network connections
b) To dump process memory
*c) To identify and list kernel call-backs
d) To scan for hidden files

In memory forensics, what does the 'idt' plugin in Volatility display?

*a) The Interrupt Descriptor Table (IDT)
b) The list of open files
c) The list of network connections
d) The process handle table

How does a rootkit typically modify system behavior at the kernel level?
a) By changing user account passwords
*b) By modifying or hooking kernel-level data structures and functions
c) By deleting system logs
d) By creating fake user accounts

Which Volatility plugin would you use to inspect the list of currently loaded
drivers in the kernel?
a) driverirp
b) driverscan
**c) modscan
d) modules
Which of the following is a common indicator of kernel-space hooking by malware?
a) Increased disk activity
b) Suspicious network traffic
*c) Unusual modifications to kernel function pointers
d) High memory usage by a single process

Why is the 'timers' plugin in Volatility important for malware analysis?

a) It lists all DLLs loaded by each process
*b) It shows active timers set by the kernel and possibly by malware for
persistence
c) It scans for hidden processes
d) It lists all open network sockets

What does the Volatility 'idt' plugin analyze to help detect malware?
a) Kernel-mode hooks
b) User-mode API hooks
*c) Interrupt Descriptor Table (IDT) for signs of tampering
d) Process memory dumps

*** Security Operation Center : Major defense strategies, Importance of SOC, SIEM,
Importance of
SIEM, Case studies pertaining to SOC

What is the primary function of a Security Operations Center (SOC)?

a) To develop software applications
*b) To monitor and analyze an organization’s security posture
c) To manage corporate finances
d) To conduct market research

Which of the following is a major defense strategy employed by a SOC?

a) Penetration testing
**b) User behavior analytics
c) Supply chain management
d) Social media monitoring

Why is the Security Operations Center important for organizations?

a) It reduces operational costs
*b) It provides real-time analysis of security alerts
c) It improves customer satisfaction
d) It streamlines software development

What does SIEM stand for in the context of a SOC?

a) Security Internet Event Management
b) System Integration and Event Monitoring
*c) Security Information and Event Management
d) Secure Internal Event Monitoring

Which of the following is a key benefit of using a SIEM system in a SOC?

a) It increases website traffic
*b) It provides centralized security monitoring
c) It enhances social media presence
d) It manages physical security

How does a SIEM system contribute to the effectiveness of a SOC?

*a) By providing automated response to security incidents
b) By managing employee schedules
c) By controlling network access
d) By improving email marketing campaigns
What is a common use case for implementing a SIEM in a SOC?
*a) Monitoring and logging of security events
b) Developing mobile applications
c) Managing financial transactions
d) Conducting market analysis

Which of the following is an example of a major defense strategy used in SOC

operations?
a) Cloud computing
**b) Threat hunting
c) Customer relationship management
d) Content creation

What role does threat intelligence play in a SOC?

a) It generates sales leads
*b) It provides context to security events and incidents
c) It improves network speed
d) It manages data storage

Why are case studies important when discussing SOC operations?

a) They provide entertainment
*b) They offer real-world examples of SOC effectiveness
c) They simplify technical writing
d) They enhance software performance

How does a SOC typically respond to detected threats?

a) By ignoring them
*b) By implementing countermeasures and containment strategies
c) By increasing marketing efforts
d) By closing the business

What is a major component of a SOC’s defense strategy?

*a) Incident response planning
b) Public relations
c) Sales forecasting
d) Market research

How can SIEM systems improve the response time to security incidents?
*a) By automating the correlation and analysis of security events
b) By manually reviewing logs
c) By increasing the number of security analysts
d) By outsourcing security operations

Which of the following is a benefit of having a dedicated SOC within an

organization?
a) Increased product sales
*b) Enhanced ability to detect and respond to security incidents
c) Improved graphic design
d) Better customer reviews

What is an example of a successful SOC case study?

a) A company launching a new product
*b) An organization successfully mitigating a ransomware attack using SOC
capabilities
c) A business achieving high sales targets
d) A firm expanding its market presence