Professional Documents
Culture Documents
Unit 5
Unit 5
25 Which command-line tool can be used to list running processes and their handles in Windows? ps tasklist ls procmon tasklist 58
26 What is the purpose of accessing objects by a process through handles in malware analysis? To directly manipulate kernel objects To directly access objects in user space To perform subsequent operations on objects indirectly To bypass kernel memory restrictions To perform subsequent operations on objects indirectly 58
27 What is a common method used by malware to maintain persistence on a system? Modifying the system BIOS Creating scheduled tasks Manipulating the boot sector Modifying the firewall settings creating scheduled tasks 49
28 Which of the following is NOT a common technique used by malware to evade detection? Polymorphic code Signature-based detection Process injection Code obfuscation Code obfuscation 49
28 Which is not of the following is not a mode of malware distribution? Download from the internet Watching video on internet spam email None of the above C 55
All of the above All of the above
29 Why is it important to list process handles during malware forensics investigations? To find evidence of unauthorized access to system resources To determine if malware is using handles to hide from antivirus software To identify communication between malware and other processes 46
The memory usage of the target process
30 If a malware sample is suspected of injecting code into another process, what information from the process handles might help confirm this behavior? The type of handle and the process it's linked to The network connections of the target process The permissions associated with the handle The type of handle and the process it's linked to 46
What is the primary purpose of malware unpacking? To hide the presence of malware on a system To extract the original code of a packed malware sample To encrypt sensitive data on the system To enhance the performance of the malware To extract the original code of a packed malware sample
31 85
What is the purpose of using virtual machines or sandboxes in malware unpacking? To provide a safe environment for executing malware samples To physically isolate malware from the rest of the system To slow down the execution of malware To analyze malware without any computational resources To provide a safe environment for executing malware samples
What command can be used in PowerShell to retrieve command history? Get-History Retrieve-History Show-History View-History Get-History 57
In Linux-based systems, where is the command history typically stored? /var/log/messages /etc/commands.log ~/.bash_history /usr/bin/history ~/.bash_history 57
37 Which Volatility plugin is used to extract command history from a memory image? psscan cmdscan consoles cmdline cmdscan 128
38 If the cmdscan plugin does not display any command history entries, what could be a possible reason? The memory image is corrupted The system did not execute any commands The plugin is not compatible with the memory image profile All of the above All of the above 128
39 What tool is commonly used to inspect the Windows Registry? Task Manager Command Prompt Registry Editor Disk Cleanup Registry Editor 22
40 Which of the following is NOT typically stored in the Windows Registry System settings User preferences Installed programs Temporary internet files Temporary internet files 22
How does simple encoding differ from encryption? Simple encoding makes data unreadable, while encryption makes data indecipherable Simple encoding is reversible, while encryption is irreversible Simple encoding requires a key, while encryption does no There is no difference between them Simple encoding is reversible, while encryption is irreversible 92
Simple encoding is often used to: Increase the size of the malware Decrease the size of the malware Obfuscate the intent of the malware None of the above Obfuscate the intent of the malware 92
Which of the following statements is TRUE about decoding base64 encoded malware? It is a computationally expensive process It requires the original key used for encoding Decoding tools are readily available Decoded malware is always in a functional state Decoding tools are readily available 92
What does it indicate when MalwareBytes finds malicious registry keys but no malicious files or processes? The malware has been completely removed, but the registry keys are left behind. The malware has relocated itself to evade detection. Another program has deleted the files but left the registry keys. All of the above. All of the above 73
What is the recommended action when Rogue Killer detects possible malware in the registry? Delete the registry entries. Create a system restore point and delete the entries. Seek expert help before taking any action. Seek expert help before taking any action. Seek expert help before taking any action. 73
What is the purpose of the Sticky Keys attack in Windows? To replace the sethc.exe binary with something that can provide a shell. To execute cmd.exe from the logon screen. To provide a shell without needing to authenticate. All of the above. All of the above. 73
50 Which of the following Windows services is known to be a common target for malware persistence mechanisms? Remote Procedure Call (RPC) Windows Update Windows Time Security Accounts Manager (SAM) Remote Procedure Call (RPC) 170
51 Which of the following commands can be used to check for services running under the context of the "SYSTEM" account? tasklist /svc net start sc queryex wmic service get name,startname wmic service get name,startname 170
52 kill-ps list-dir lepp ldd
53 Which command is used to list dynamic-link libraries (DLLs) currently loaded into memory in Windows? list-ps list-dll dir-dll tasklist /m tasklist /m
Which of the following commands can be used to list all the shared libraries a binary depends on in Linux?
80 Which of the following techniques involves inserting non-functional code into the malware to confuse analysts? Code optimization Dead code insertion Code encryption Code signing Dead code insertion 80
80 What is a common method used in malware obfuscation to make the code harder to read and analyze? Adding comments to the code Removing unnecessary code Renaming variables and functions with random names Using descriptive function names Renaming variables and functions with random names 80
What is the primary purpose of extracting command history in malware forensics? A. To identify the source of the malware B. To understand the behavior of the malware C. To decrypt the encrypted files by the malware D. To remove the malware from the system B. To understand the behavior of the malware 144
Which of the following tools can be used to extract command history during malware forensics? A. Wireshark B. Volatility C. YARA D. Nessus B. Volatility 144
Which step in memory forensics involves the examination of volatile data structures to identify running processes, network connections, and loaded modules? Memory acquisition Memory analysis Memory preservation Memory reporting Memory analysis 157
In memory forensics, what does the process of "memory imaging" involve? Capturing a snapshot of the entire RAM content Analyzing file system metadata Extracting data from a hard disk Identifying network connections Capturing a snapshot of the entire RAM content 157
Which part of the SANS six-part memory analysis methodology is used to examine libraries and other files associated with a rogue process? Volatilty Strings Redline Encase Strings 95
Which of the following is typically not something that can be examined using memory forensics Running processes Network connections Loaded Dynamic Link Libraries (DLLs The Master File Table (MFT) The Master File Table (MFT) 95
How does a fileless malware attack differ from traditional malware? It requires physical contact with the infected device It resides in system memory without a file footprin It spreads through infected email attachments It targets specific geographic locations It resides in system memory without a file footprint 74
When investigating a suspected malware infection using Volatility, which of the following actions would be LEAST helpful? Dumping the physical memory of the infected system Analyzing network connections to identify suspicious activity Examining loaded processes for unusual names or behaviors Recovering deleted files from the disk Dumping the physical memory of the infected system 123
You suspect a process named "updateservice.exe" might be malicious. Which Volatility command would be most useful to investigate further? history get_history extract history strings pslist 123
Which command is used for extracting the details of the operating system? history echo uname wc
Which command is commonly used to extract command history in Unix/Linux systems? Ransomware Adware Rootkit Ransomeware
What is custom encoding in the context of malware obfuscation? A technique to hide malware from antivirus programs A method to encode malware payloads using predefined algorithms An approach to encode malware using unique algorithms or transformations
A process of encrypting malware using industry-standard encryption algorithms
An approach to encode malware using unique algorithms or transformations 48
What is the primary purpose of custom encoding in malware? To increase the size of the malware file To decrease the complexity of the malware code To evade detection by antivirus programs To make malware execution faster To evade detection by antivirus programs 48
What role does custom encoding play in the lifecycle of a malware attack? It only occurs during the initial infection phase. It is primarily used during the propagation phase. It is essential for maintaining persistence on infected systems. It helps conceal the malware's presence and intent throughout its lifecycle.
It helps conceal the malware's presence and intent throughout its lifecycle. 48
which command-line utility can be used to analyze and manipulate DLLs in Windows regsvr32 dumpbin regedit msconfig dumpbin 86
which command line tool can be used in windows to list dynamic link libraries (DLL's) loaded in a process ls dlllist tasklist ldd Tasklist 168
Which Windows Sysinternals tool is specifically designed for analyzing processes and the DLLs they load? Process Explorer Task Manager Performance Monitor Resource Monitor Process Explorer 168
88 Which obfuscation technique involves altering the structure of the malware without changing its functionality? Encryption Polymorphism Steganography Rootkitting Polymorphism 88
What is the primary purpose of obfuscating malware through encryption? To increase the size of the malware To slow down the execution of the malware To evade detection by antivirus software To improve the functionality of the malware To evade detection by antivirus software 88
Which of the following tools can be used to dump the executable code and data from a running process for analysis? Proc Dump Task Manager Registry Editor Command prompt Proc Dump 180
In the context of malware analysis, what is the primary purpose of dumping an executable or DLL? To extract embedded resources such as strings and metadata To analyze the behavior and functionality of the binary To decrypt encrypted sections of the binary To compress the file for storage purposes To analyze the behaviour and functionality of the binary 180
Which of the following best describes malware encryption? A technique used by malware to hide its presence and evade detection. A method used by antivirus software to remove malware from a system A process of encrypting legitimate files to protect them from unauthorized
A strategy
access.
employed by hackers to encrypt sensitive data on a victim's computer forA ransom.
technique used by malware to hide its presence and evade detection. 183
What is a common purpose of malware encryption? To improve the performance of the infected system. To enhance the user experience by encrypting files. To prevent security researchers from analyzing the malicious code. To increase the visibility of the malware to antivirus programs. To prevent security researchers from analyzing the malicious code. 183
What is a computer network? A device used to display information on a computer screen A type of
A collection of interconnected computers and devices that can communicate and share resources software used to create documents and presentations
Which of the following best describes the significance of listing processes and their handles in malware analysis? It helps identify legitimate system processes and distinguish them from potentially
It allowsmalicious
analysts ones.
to track resource allocation and usage, aidingIt in
provides
the detection
insightofinto
abnormal
inter-process
behavior.
communication (IPC) mechanisms
It assists in identifying
exploited system
by malware
vulnerabilities
for lateral that
movement.
could
It allows
be leveraged
analystsby
to malware
track resource
for privilege
allocation
escalation.
and usage, aiding in the detection
127of abnormal behavior.
Which of the following methods can be used to list processes and their handles in Windows for malware analysis? Task Manager Process Explorer PowerShell All of the above All of the above 127
What is the primary purpose of listing process handles in malware analysis? a- to identify potential legitimate processes b- to terminate legitimate processes c- to hide the presence of malware d- to bypass antivirus detection a- to identify potential legitimate processes 47 Arshdeep Kaur
which information can be obtained by listing process handlesin malware Analysis? a-File Hashes b-Registry Keys c-Network Connection d-Loaded Libraries d-Loaded Libraries 47
Which of the volatility option displays the supported plugins? vol.py -h vol.py -p vol.py -v vol.py -f vol.py -h 146
which command is used for extracting the details of the operating system cd echo uname wc uname
which command is commonly used to extract command history history get-history extract-history command-history history
history