GREM - Giac Reverse Engineering Malware Malicious Executable Analysis Questions and Answers

Question 1

An analyst is performing static analysis on a suspicious Windows executable.
They observe a high-entropy section within the PE file and a very small import address table (IAT) that only lists functions like `LoadLibraryA` and `GetProcAddress`.
Which of the following techniques has the malware likely employed?

Accepted Answer

Packing or Encryption

Answer

Process Hollowing

Answer

DLL Side-Loading

Answer

COM Hijacking

Question 2

During dynamic analysis of a malicious executable in a debugger like x64dbg, a reverse engineer sets a breakpoint on `CreateRemoteThread`. What is the most likely activity the analyst is trying to observe?

Accepted Answer

The malware injecting code into the virtual address space of another process.

Answer

The malware attempting to achieve persistence by creating a new service.

Answer

The malware encrypting files on the local filesystem.

Answer

The malware exfiltrating data over an encrypted C2 channel.

Question 3

Which of the following is a primary advantage of performing static analysis with a disassembler like Ghidra or IDA Pro over dynamic analysis in a sandbox?

Accepted Answer

It allows for the examination of code without the risk of executing the malware and infecting the system. [2, 5]

Answer

It guarantees the observation of all possible execution paths and behaviors.

Answer

It is more effective against heavily obfuscated or packed samples.

Answer

It provides a complete picture of the malware's network communications.

Question 4

A malware analyst is examining the PE header of a suspicious file and wants to identify the external functions it calls from system libraries. Which part of the PE structure should they focus on?

Accepted Answer

The Import Address Table (IAT)

Answer

The Export Directory

Answer

The Resource Section

Answer

The DOS Stub

Question 5

A reverse engineer is analyzing a malware sample and suspects it establishes persistence by modifying a registry key that causes it to execute on system startup. Which of the following Windows API calls would be most indicative of this behavior?

Accepted Answer

RegSetValueExW

Answer

CreateFileW

Answer

Socket

Answer

GetSystemTime

Question 6

While performing dynamic analysis, an analyst observes a malware sample executing a child process in a suspended state, unmapping its memory, and then writing new code into its address space before resuming the thread. What is this specific code injection technique called?

Accepted Answer

Process Hollowing

Answer

DLL Side-Loading

Answer

API Hooking

Answer

COM Hijacking