GREM Analyzing Web-Based Malware Questions and Answers

Question 1

An analyst is examining a malicious JavaScript file and finds a long, concatenated string of `String.fromCharCode(104,101,108,108,111)`.
This code, when executed, produces a readable string.
What is the primary purpose of this technique?

Accepted Answer

To evade signature-based detection by network security devices.

Answer

To compress the script to reduce bandwidth usage.

Answer

To ensure compatibility with older web browsers.

Answer

To execute code with elevated system privileges.

Question 2

A user gets their machine infected with ransomware after visiting a well-known, legitimate news website without clicking on anything suspicious. Analysis reveals the infection originated from a malicious advertisement served through a third-party ad network on the site. Which of the following terms best describes this infection vector?

Accepted Answer

Malvertising

Answer

Phishing

Answer

Spear Phishing

Answer

Watering Hole Attack

Question 3

A malware analyst needs to investigate a drive-by download attack. Their goal is to capture the full redirection chain, analyze the exploit kit's landing page, and deobfuscate the JavaScript code in a controlled environment. Which of the following tools is best suited for intercepting, viewing, and modifying the HTTP/S traffic between the browser and the server?

Accepted Answer

Burp Suite

Answer

Wireshark

Answer

IDA Pro

Answer

Volatility

Question 4

In a typical exploit kit infection chain, what is the primary role of the "landing page"?

Accepted Answer

To fingerprint the victim's browser and plugins to select a suitable exploit.

Answer

To serve as a command-and-control (C2) server for the botnet.

Answer

To redirect the user to a legitimate website after the infection is complete.

Answer

To host the final malware payload for direct download.

Question 5

While analyzing the `manifest.json` file of a suspicious browser extension, a security analyst finds the following permission entry: `"permissions": ["<all_urls>"]`. What is the most significant risk associated with this permission?

Accepted Answer

The extension can read and modify data on any website the user visits.

Answer

The extension can modify the browser's bookmark list.

Answer

The extension can access the user's local file system.

Answer

The extension can prevent the browser from being updated.

Question 6

An analyst observes malicious JavaScript on a webpage that creates an HTML element with an `id` attribute matching a global variable name used by the page's legitimate scripts (e.g., `<a id="config">`). The malicious script does this to overwrite the legitimate `config` object in the global scope. What is this specific technique of manipulating the DOM to hijack variables called?

Accepted Answer

DOM Clobbering

Answer

Cross-Site Scripting (XSS)

Answer

SQL Injection

Answer

Clickjacking