Digital Malware Analysis

Prelude
Welcome to the course - Malware Analysis. Let's see the topics
that you will see in this course.

 Introduction on Malware Analysis

 Types of Malware
 Secure Lab Set-Up
 Malware Analysis Methodology
 Static Analysis
 Dynamic Analysis
 IDA-Pro (Adv Static Analysis)
 OllyDbg (Adv Dynamic Analysis)

What is Malware?
Malware or Malicious software is a program/code that runs as
an executable file such as script, code, or any other software.
Attackers can use malware to steal sensitive data, spy on the
infected systems and take control of the devices and even
destroy the data in the systems. They quickly get into the
system/network via several communication channels such as
email, web, or USB drives.

What Can Malware Do?

Malware can cause the below harmful actions:

 Interrupting computer operations.

 Stealing sensitive data, including personal, business
details, and financial data.
 Unauthorized access to the systems.
 Spying on the Computers/networks.
 Sending spam e-mails.
 Launching (DDoS) - Distributed Denial of Service attacks.
  Locking the files on the computer and demanding for
ransom.
 Destroying the data, systems, and networks.

What is Malware Analysis?

Malware Analysis is examining the properties and behavior of
the malicious files/processes/code to understand the purpose of
its execution mechanism, the source of its origin, and why it is
designed.
This helps in effective identification and elimination of the
malware from the network, and build a secure, defensive
environment for the organization’s network.

Malware Symptoms
Some Symptoms of Malware:

 Decreased system performance

 Loss of data or files from the system
 Unauthorized Data modification
 Failure to launch OS or Software
 Unusually of high network activity
 Increase in file size or data packets in the network
 Friends/Coworkers report suspicious behavior

Why Malware Analysis is Needed ?

The purpose of malware analysis is to identify the malware, its
intended functionality, deployment and execution mechanism,
and source information. This helps in identifying and eliminating
the malware from a system or network.
Below are some pointers on why we need to perform malware
analysis:

 To identify the type of malware and its intended

function e.g., Information stealer, Trojan, Spam, key
logger, ransomware, and rootkit.
 Identify the Indicators of Compromise (IOCs) - These are
various artifacts generated in a system or network due to
malware activity and can be linked to malware. e.g., IP
addresses, URLs, registry keys, Hash values.
 Identify the source of the malware (command and control
or some other parent malware process).
 To contain the spread of malware and prevent further
attacks.

Types of Malware
When performing Malware Analysis, one has to understand the
types of malware which help to speed up the analysis by
selecting the appropriate analysis method and tools based on
the malware type identified. So let's look into some of the
leading types of malware in the below cards.

Backdoor
Malicious code will install itself onto a computer to allow the
attacker access. Backdoors usually will enable the attacker to
connect the computer with little (or) no authentication and
execute the commands into the local system.

f you have trouble playing this video, please click here for help.

Trojan
This malware hides as a regular program to trick users into
installing it on their systems. Once done, it can perform
malicious activities such as (stealing sensitive data, uploading
files to the attacker's server (or) monitoring webcams).

Downloader or Dropper
Once the attacker gains access to a system, an attacker can
easily install the downloaders. This malicious code survives
only to download other additional malicious codes with the help
of the attacker.

Adware or Spyware
This malware displays unwanted ads to the user. They mostly
take place via free downloads and can forcibly install software
on the system.
Botnet
Similar to a backdoor, which allows the attacker to access a
group of computers to get infected with the same
malware called bots waits to receive instructions from the
command-and-control server controlled by the attacker.

The attacker can then issue a command to these bots, which

perform malicious activities such as DDoS attacks (or) sending
spam emails.

Information Stealing

Malware that gathers information from a victim’s computer such

as (key loggers, spyware, sniffers, and password hash
grabbers) and habitually sends it to the attacker.

This malware acts to gain access over online accounts such as

email and online banking.

Ransomware
This malware holds the system for Ransom by locking users
files of their computer (or) by encrypting their files.

RootKit
This malware that provides the attacker with privileged access
to the infected system and hides its presence (or) the presence
of other software. They are usually paired with other malware,
like a backdoor to let remote access to the attacker and enable
the code difficult for the victim to detect.

Worm or Virus
This malware is capable of replicating itself and spreading to
other computers.

 The virus needs user interruption.

 A worm can spread without user interruption.

Why Lab Environment is Needed?

To analyze a malicious software (or) program without affecting
the analysis/host system, a controlled lab environment is
required. A malware lab can either be simple (or) complex based
on the system resources (hardware, virtualization software &
analysis tools, etc.)

Lab Requirements
A virtual machine is a software program which exhibits the
behavior of a separate computer with the capability of
performing tasks such as running applications, etc. Multiple
virtual machines are available for different operating
systems (Windows, Linux, macOS).
A controlled virtual environment is suggested when performing
the dynamic analysis, where a malware sample is executed. To
set up a controlled lab environment, the installation of a virtual
machine with appropriate malware analysis tools is
recommended. The virtual machine can be reset to the original
state after the completion of analysis.
Download Links:
VMware - Windows / Linux and Mac.
Virtual Box - All Operating Systems

Sample Image Lab Set-Up

Sample Lab set-up preview

Sample Lab Set-Up

Two virtual machines – one with Linux OS and the other with
Windows OS should be created and configured with ‘host only’
network configuration mode.
The Linux VM is configured with the IP address 127.258.1.120,
and the Windows VM is configured with the IP address
182.127.1.100.
The default gateway and the DNS of the Windows VM are set to
the IP address of the Linux VM (127.258.1.120) so that the
Windows VM network traffic is routed through the Linux VM.
The virtual machines are configured to simulate network
services (DNS, HTTP, etc.), to provide a response when required
during malware analysis.
In malware analysis, the malware sample is executed in
Windows VM, and the network traffic is monitored in the Linux
VM.

Virtual Box Lab Set-Up

This video demonstrates about the lab setup for malware
analysis.

Create a Controlled - Lab

Environment
A controlled lab environment should be created to perform
malware analysis without affecting the physical host system.
Below are the few points for a controlled lab environment:
 Create a virtual machine with appropriate OS
configuration, network configuration, hardware
configuration, etc.
 If you're going to analyze a windows malware use a
different OS for your host system such (Linux / Mac OS
X) it helps you. In case if the malware escapes from the
Virtual Machine, it will not harm your host system.
 Usage of simulated network services to restrict the
network traffic & configuration of ‘host only’ network are
suggested to prevent the malware propagation through the
network.
 It is not recommended to connect removable media and to
store sensitive information in the VM, where the malware
analysis is performed.

Malware Analysis Methodology

Examining malicious software involves four stages based on the nature of the associated
malware analysis techniques. As shown in the image, the way we go closer to the top,
the more difficult it is going to be.

Stages in Malware Analysis

There are four general stages in Malware Analysis.

 Manual Code Reversing

 Interactive Behavior Analysis
 Static Properties Analysis
 Automated Analysis

Let's look into these stages in the below cards.

Manual Code Reversing (or)

Reverse Engineering Malware
Manual code reversing requires disassembler and debugger,
which could help a Decompiler / Plugins / Specialized tools that
automate some aspects. Only manual code reversing can
provide the below insights:

 Decoding encrypted data stored.

 Determining the logic of the malicious program.
 Domain generation algorithm.
 During behavior analysis understanding additional
capabilities of the samples didn’t exhibit themselves.

Reversing code takes much time, and the required skill set is
relatively rare, where an investigator needs to know the
assembly language. For this reason, many of the malware
investigations don’t dig into the code much. However, reversing
some code will increases the analyst's view on the malicious
program.

Interactive Behavior Analysis

The behavioral analysis involves an investigation on how
sample runs in the lab environment to understand its registry,
file system, process, network activities and also help to know
how the program uses memory (e.g., performing memory
forensics) can bring an extra insight. This malware analysis
stage is beneficial when the researcher interacts with the
malicious program.

Static Properties Analysis

An analyst will be interested in having a closer look at the
suspicious files by examining its static properties. These can be
relatively quickly as it does not require a malicious program to
run. Static properties include the strings embedded into the file,
header details, hashes, embedded resources, packer signatures,
metadata such as the creation date, etc. Analyzing static
properties is useful as part of the incident triage effort.

Automated Analysis
Using automated tools is one of the easiest ways to access the
suspicious files. These tools quickly evaluate and produce
reports with details such as registry keys used by
the malicious program, mutex values, file activity, and network
traffic.
However, these tools will not provide many insights as a human
analyst would obtain. However, it helps in the incident response
process in a vast amount of malware, which allows humans to
put their effects on the human attention needed cases.

Types of Malware Analysis

The standard Malware Analysis is classified into two types:
 Static Analysis:
o This is the analysis of a suspicious file, executable or
process to understand its contents.
o It doesn't involve code execution.
 o Some of the key activities under static analysis includes
(* Decompiling, Static Properties Analysis, Analysis of
the system calls, Analysis of strings*).
 Dynamic Analysis:
o This is the study of the run time behavior of malware to
determine its malicious properties and interactions with
the system environment.
o Some of the activities under dynamic analysis include
(Network Analysis, File System Modification, Registry
Analysis).

We will be having a detail look into these analyses in

upcoming cards.

What is Static Analysis?

Static analysis is a technique used to analyze the suspected
files and processes without executing them, and it's the first
step to study malware. This analysis investigates the process of
code (or) structure of a program to determine its function. The
static analysis can be further divided into Basic and Advanced
static analysis.
Basic Static analysis involves the below steps or techniques
depending upon the type of suspected file.

 Scanning with Antivirus applications

 Fingerprinting the malware
 Extracting strings associated embedded within the file
 Identifying the obfuscation or packing
 Identifying the Portable Executable (PE) File Format
 Classifying and comparing the malware samples

Let's look into these in upcoming cards.

Scanning with Antivirus

Applications
The first step is to scan the suspected file using multiple
antivirus programs. This helps in identifying if the suspected file
is already reported or detected by antivirus applications. But
antivirus tools rely on a database of identifiable characteristics
of known suspicious code (file signatures), as well as
behavioral and pattern matching analysis (heuristics) to
identify suspect files. If the antivirus databases do not have a
matching signature for the suspicious files the malware cannot
be detected by antivirus software.
Hence, we use VirusTotal that helps to scan with multiple
antivirus engines, and it generates reports that provide (the
total number of engines that marked the file as malicious,
malware name and additional information of the malware if
available).

VirusTotal Tool
VirusTotal is an online malware analysis tools which provide a
web-based malware scanning service. We can upload the files,
and it scans the suspicious file using multiple antivirus
scanners, and the results will be published in real time on the
webpage. VirusTotal also provides you the ability to search their
database using a hash, URL, domain, and IP address.
Here is also VirusTotal Graph built on top of the VirusTotal
dataset. It helps with visualizing the relationship between the
submitted file provides associated indicators such as domains,
IP addresses, and URLs, which to navigate and gain additional
details.
Reference: VirusTotal Online Scanner, VirusTotal
Documentation

Hashing - Fingerprinting the

Malware
Hashing is a common method that helps to identify malware by
calculating its hash value. Hash value is an alphanumeric value
that is generated when hashing algorithms are applied to a data
set (file, folder, etc.). The hash value remains unique to the
data set as long as the data set is not changed/modified and
helps in uniquely identifying it. A hash value can be obtained for
the suspicious file/malware by using hash calculating software.
The hashing algorithms such as MD5, SHA1 and SHA256 are some
of the commonly used standards.
Uses of cryptographic hashing in malware analysis are listed
below:
 Identifying malware samples based on filename is
ineffective because the same malware sample can use
different filenames, but the hash calculation is based on
the file content, which will remain the same. Hence
hashing is used to suspect files.
 During dynamic analysis, malware can copy itself to a
different location (or) drop a different piece of malware. By
using the
 sample we can identify whether it's a newly
dropped/copied sample of the same.
 File hashing used as an indicator to share with other
security researchers to help and identify the sample.
 File hashing helps to determine the sample with previously
detected by searching online (or) on the database of Multi
Antivirus scanning engines like VirusTotal.

Tools For Hashing - Linux

For Linux system, file hashes can be generated using
the md5sum, sha256sum & sha1sumutilities as shown below.

$ md5sum sample.exe
6e4e030fbd2ee786e1b6b758d5897316 sample.exe

$ sha256sum sample.exe
01636faaae739655bf88b39d21834b7dac923386d2b52efb4142cb278061f97f
sample.exe

$ sha1sum sample.exe
625644bacf83a889038e4a283d29204edc0e9b65 sample.exe
Tools for Hashing - Windows
For Windows system, file hashes can be generated using
the md5deep as shown below.

C:\>md5deep c:\WINDOWS\system32\sample.exe

373e7a863a1a345c60edb9e20ec32311 c:\WINDOWS\system32\sample.exe

There are many tools available to generate hashing you can find
via this Reference link and pick the best after a careful review.

Extracting Strings
Strings are both ASCII and Unicode sequences of characters
embedded within a file. (ASCII strings use 1 byte per character,
and Unicode uses 2 bytes per character). By extracting strings,
we get clues about the functionality of the suspect binary.
From the extracted strings, we can find binary references
contains such as URLs, IP addresses, attack commands,
filenames, domain names, and registry keys. Although strings
may not give a better understanding of the scope and ability of
the file. They also share a hint about the capability of the
malware.
Explore these tools to extra strings: Pestudio, PPEE
(Puppy) and String From Microsoft.

Finding Strings
Most invalid strings are obvious because they do not represent
legitimate text. e.g., the following section shows the result of
running Strings against the file bb6.ex_:

C:>strings bb6.ex_

98.134.24.1 --❹
e-@Get

Layout --❶

GDD32.DLL --❸

SetLayout --❷
M}C

Mail system DLL is invalid. Send Mail failed to send message. --❺

❶ ❷ - (GetLayout and SetLayout) are Windows functions used

by the graphics library. These Windows function names normally
begin with a capital letter, and subsequent words will also begin
with a capital letter. Hence, we can easily identify these as
meaningful strings.

Finding Strings
❸ - (GDD32.DLL) is meaningful because it is the name of a
common Windows dynamic link library (DLL) used by graphics
programs. (DLL files contain executable code that is shared
among multiple applications.)

❹ -(98.134.24.1) is an IP address and may be linked to the

malware activity.
❺ - It's an error message. Also, the most valuable information
obtained by running Strings is found in error messages. This
message reveals two things:

 The subject malware mostly sends messages via email.

 It depends on a mail system DLL.

With the help of this information, we need to check the email

logs for suspicious traffic.
Malware often uses authentic libraries and DLLs to assist its
goals.

Packed and Obfuscated Malware

Malware authors often use programs such as Packers and
Crypto
rs to obfuscate their code to avoid detection from security
products such as antivirus and to confuse analysis. Even the
malicious program is compressed to make the analysis harder.
Detecting Packers - Exeinfo PE
There are many tools that help to detect packers such as UPX,
PEiD, and Exeinfo PE. Exeinfo PE, it is a freeware tool that
comes with GUI for Windows. It has more than 4,500
signatures (stored in userdb.txt in the same directory) to
detect various compilers, packers, or cryptors utilized to build
the program.

PE Header Information
The PE (Portable Executable) file includes a header followed
by a series of sections. The header contains metadata files.
Following header are the actual sections of the files, each
contains useful information.
e.g., Visual Studio uses .text for executable code. Windows do
not care about the actual name since it uses other information
in the PE header to determine how a section is used. Moreover,
the section names are sometimes obfuscated to make analysis
more difficult.
The following link reference: PE File Headers and Sections.

Portable Executable - PEview Tool

The PE file format stores the information within its header. we
can use PEview tool to get the information.
The section size helps in detecting packed executables. e.g., If
the Virtual size is larger than the Raw Data size where section
takes up more space in memory than disk. This often indicates
to packed code, particularly if the .text section is larger in
memory than on disk.
Conclusion
By using relevant tools, we can perform static analysis on
malware to gain some insights into its function. However, static
analysis is the first step, and further analysis is needed. The
next step is to set up an isolated and controlled environment to
run the malware and perform dynamic analysis.

What is Dynamic Analysis?

Dynamic analysis is called behavioral analysis and it involves
analyzing a suspected sample by executing it in a controlled
environment and monitoring its interactions with the Operating
system, network and analyzing the malware impact on the
systems. In Static analysis, we learned on tools, concepts, and
techniques to examine the different aspects of the suspect
binary without executing it.
You will learn the following topics:

 Dynamic analysis tools and their features

 Simulating internet services

For a safe environment, visit "How to set-up your Lab" card

above.

System and Network Monitoring

When we execute the malware programs, it will interact with a
system in various ways and perform multiple activities. These
activities include dropping additional files on the filesystem,
creating/deleting/modifying registry keys, and downloading
other components from the command control server).
These are the different types of monitoring the can be done during
dynamic analysis.

 Process monitoring: Helps to monitor the process activity and

review the results during malware execution.
 Network monitoring: Helps to monitor the live traffic of the
system during malware execution.
  Registry monitoring: Helps to monitor the registry
keys (created/accessed/modified/deleted) and monitor that the
registry data is being (read/written) by the malicious program.

Monitoring malware's interaction with (system and

network) will help to have better insights into the nature and
purpose of the malware.

Process Monitoring - Process

Monitor Tool
It's an advanced monitoring tool that shows the real-time
interaction of the processes with (filesystem, registry, and
process/thread activity). All you need to do is to run the tool
as (Administrator) and immediately notice that it captures all
the system events. To stop capturing the events, press (Ctrl +
E) and to clear all the events, press (Ctrl+ X). We can also use
the filter option to hide unwanted entries and allows you to filter
on specific attributes. To access this feature, press (Ctrl + L).
The below image shows that the filter is configured to display
events only related to the process.
Download Link for Process Monitor.

Process Monitor (Filter)

We can easily filter the necessary file as shown in the image.

Network Monitoring - Wireshark

Wireshark is an open source tool which helps to capture
network traffic/logs. It's used to analyze internal networks,
network usage, debug application issues, and study protocols in
action. This helps to understand the communication channel
between malware and the determined network.
It also used to sniff passwords (if in plain text), reverse-engineer
network protocols, steal sensitive information, etc.
Download Link for Wireshark.

Registry Monitoring - Regshot

Regshot is an open source tool that helps to compare two
registry snapshots. Simply click the 1st Shot button to take the
first snapshot and perform a necessary activity such as
malware execution. Once the activity is complete, then click
2nd Shot Button. Click the compare button to compare two
snapshots to understand what changes have been made in the
registry due to the malware executions.
Download Link for Regshot.

Simulating Internet Services -

INetSim
It's not a good idea to allow the malware to connect to C2
server (command and control server), for analysis. To provide a
simulated network environment in which the malware can
exhibit its intended behavior, we use a tool called INetSim.
INetSim is open source and Linux based software, which helps
to simulate standard internet services such as HTTP, HTTPS,
FTP, IRC, DNS, SMTP. Once INetSim is launched, it simulates
various services, as shown in the image.

INetSim Default Ports

INetSim imitates by including the default ports as shown in the
below image once the program started.

INetSim
INetSim will work as a real server. As they are built into its
HTTP and HTTPS server simulation and it serves what
requested. e.g., if the malware requests a PNG from/for the
website to carry out its operation, INetSim will respond with the
same PNG format. Although the PNG file might not be the right
file which malware looks for, the server will not return any
errors such as 404 and help with the response to keep the
malware running.
INetSim can also record all inbound requests and connections,
which will be useful to determine whether the malware is
connected to standard service and to see the requests making.
Conclusion
Basic dynamic analysis of malware can assist and confirm the
basic static analysis findings.

Advanced Static Analysis -

Introduction
Advanced static analysis involves reverse engineering the
malicious executable files with the help of a disassembler to
analyze the code in assembly language format. This provides a
deeper understanding of the functions of the malware code and
its intended purpose.

Disassembly
Malware on a disk is in a binary form which is called machine
code. Disassembly converts the binary form to assembly
language. Hence, we can view the malware code and figure out
what it does.
Malware disassembly helps in reverse engineering the malware
binaries to understand various functions of its code and identify
the instructions embedded in it. Tools such as IDA Pro helps in
disassembling and decompiling the malware code.

IDA Pro
Interactive Disassembler Professional (IDA Pro) is an
extremely powerful disassembler distributed by Hex-Rays. It is
used by reverse engineers, malware analysts, and vulnerability
researchers. It also runs on various platforms like (Windows,
Linux, and macOS) and supports analysis of different file
formats, including the PE/ELF/Macho-O formats.
Download Link for IDA Pro.

Disassembly Window
After the executable has been loaded, you will be presented
with the disassembly window, which is also known as IDA-view
window and it displays the disassembled code.
IDA shows the disassembled code in two display modes:

 Graph view
 Text view

We can easily switch between both display mode by pressing

the spacebar button.

Conclusion
IDA Pro is a useful disassembler application to examine and
analyze code in which the malware program is designed. This
helps in understanding its purpose and mode of execution.
Browse this link for Reference IDA Pro.

Advanced Dynamic Analysis -

Introduction
Advanced Dynamic Analysis helps in identifying the
characteristics of the malware by analyzing the binary code
using techniques such as debugging.

Debugging
Malware debugging analysis helps to examine more of the code
by executing each instruction separately. In this course, we will
be looking into tools OllyDbg and WinDbg, which helps in
debugging.

OllyDbg
OllyDbg is developed by Oleh Yuschuk. It provides the ability to
analyze malware while it is running. OllyDbg is commonly used
by malware analysis and reverse engineers because it is free. It
is easy to use, and it has many plug-ins that extend its
capabilities.
Download OllyDbg.

OllyDbg Interface

OllyDbg windows display information as follows:

OllyDbg Interface
❶ Disassembler window - This window shows the debugged
program code and also displays several instructions. We can
press spacebar within this window to modify instructions, data
(or) to add new assembly instructions.
❷ Registers window - This window shows the current state of
registers for the debugged program. As the code is debugged,
these registers will turn color from black to red as given in the
above image.
❸ Stack window - This window states the stack in memory for
the debugged thread, and it shows the top stack for the given
thread. we can manipulate by right-clicking a stack location and
selecting Modify.
❹ Memory dump window - This window shows a dump of live
memory for the debugged process. We can click the memory
address and select Follow in Dump to dump that memory
address.

Conclusion
OllyDbg is a popular debugger for malware analysis, and it has
advanced features to perform dynamic analysis and to debug
the malware. Mainly OllyDbg is useful for including conditional
breakpoints, which is used to break the parameters of function
calls (or) while accessing a particular region of memory.

Data files containing detection and/or remediation code

that antivirus or antispyware products use to identify
malware is known as ___________.

Security logs
We can detect compilers used for building an exe using
_________.

All the options

Wireshark can be used to steal sensitive information

over a network.

True

Registry activity can be monitored with the help of

____________.

Regshot

Which one of the options is a Windows Hashing Tool?

md5deep

Course Summary
Finally, you have arrived at the end of the course. Let's see
what you have grasped from the course so far.

 Introduction on Malware Analysis

 Types of Malware
 Secure Lab Set-Up
 Malware Analysis Methodology
 Static Analysis
 Dynamic Analysis
 IDA-Pro (Adv Static Analysis)
 OllyDbg (Adv Dynamic Analysis)
Harmful programs utilized to disrupt computer operation,
collect sensitive information or get access to private
computer systems are generally known as ___________.
All the options

Which of the following system calls is anticipated to be

utilized by a keylogger?
GetAsyncKeyState

Which one of the following option is also known as a

crypto-malware?

Which of the following option is also called a crypto-

malware?
Ransomware

Pick the right hashing algorithm.

MD5

Registry activity can be monitored with the help of

___________.
Regshot

A type of Trojan installed through an exploit or an email

attachment onto a PC is known as __________.
Downloader

Malicious code activated by a specific event or when a

particular condition is met is known as
Logic Bomb

Adware tracks browsing habits to provide better-

targeted ads based on users' interests.
True

A computer program comprising a malicious segment

that connects itself to an application program or other
executable component is known as __________.
Flash cookie

_______________ is used by a hacker, in order to mask

intrusion and obtain administrator permissions to a
computer.

Rootkit

Type of malware that performs unwanted and harmful

actions in disguise of a legitimate program is known as
_________.
Trojan

A network of infected systems under the control of a

hacker, whose intention is to damage other computer
networks by making them unavailable is called __________.

DDoS attack

In computer security, the component of the malware,

which is responsible for performing malicious action is
referred to as ___________.

Payload

Disassembler is used to convert machine language

instructions to assembly language.
True

Time Stamp of a file can be viewed with the help of

PEview.
True

Registry activity can be monitored with the help of

____________.

Regshot

_______________ is used by a hacker to mask intrusion

and obtain administrator permissions to a computer.

Rootkit

Which one of the following option is a debugging tool?

WinDbg

A collection of computers infected with malicious

tool/software under control of a hacker is called
_________.

Botnet

Malware that limits access to a computer system by

locking the entire system down or encrypting files or
until the user executes a requested action is called
________.

Ransomware

Which of the following is/are steps included in Static

Analysis?

None of the options

Which of the following types of files is supported by IDA
pro?

.exe

Which of the following tools fully supports the idea of

breakpoints?

Debugger

Data files comprising detection or/and remediation

code that antispyware or antivirus products utilize to
recognize malware is called ________.

Security logs

PROVA FINAL

Which of the following fields in a PE file specifies the

address of the instruction that should be executed first
after loading the executable?

File offse- ERRADA

Which of the following option/options is/are steps

included in Dynamic Analysis?

All the options

The process by which malware avoids detection by

changing the underlying code is known as polymorphism.
True

Adware can trace browsing habits to provide better-

targeted ads based on users' interests.

True

Which of the following options are the common phases

of malware analysis?

Identification and containment- ERRADA

A computer program carrying a malicious segment that

joins itself to other executable component or an
application program is called ___________.

Adware- ERRADA