GREM In-Depth Executable Analysis Questions and Answers

Question 1

An analyst is examining a malware sample that does not list any suspicious Windows APIs in its Import Address Table (IAT).
During dynamic analysis, the analyst observes the malware loading `kernel32.dll`, enumerating its exported functions, calculating a hash for each function name, and comparing it against a hardcoded list of values.
This technique is primarily used for what purpose?

Accepted Answer

To dynamically resolve API function addresses and evade static analysis detection.

Answer

To check for the presence of a debugger by hashing debugger-specific function names.

Answer

To perform process injection by finding and hashing the address of `CreateRemoteThread`.

Answer

To identify and hook API calls made by other processes for espionage.

Question 2

A malware analyst observes a sequence of actions: a legitimate process, such as `svchost.exe`, is created in a suspended state. The memory associated with its main executable module is then unmapped and replaced with malicious code. Finally, the process's primary thread is resumed. Which of the following code injection techniques best describes this scenario?

Accepted Answer

Process Hollowing

Answer

DLL Injection

Answer

Thread Execution Hijacking

Answer

IAT Hooking

Question 3

During static analysis of a PE file, a large amount of seemingly random data is found within the `.rsrc` section. Further investigation reveals that the malware's code at some point reads from this section, performs a decryption routine, and then writes the result into a newly allocated executable memory region. What is the most likely purpose of storing data in the `.rsrc` section in this manner?

Accepted Answer

To conceal a secondary malicious payload or shellcode.

Answer

To store configuration data such as C2 server IP addresses and user agents.

Answer

To store legitimate icons and images to make the file appear benign.

Answer

To store relocation information needed for ASLR compatibility.

Question 4

A sophisticated malware sample will only execute its primary malicious function if it detects a specific corporate domain name and a particular registry key value is present on the system. If these conditions are not met, it remains dormant. This advanced anti-analysis technique is best described as:

Accepted Answer

Environmental Keying

Answer

Polymorphism

Answer

Stalling Code

Answer

API Hashing

Question 5

While analyzing a 32-bit PE file in a disassembler, a reverse engineer notices that the file lacks a `.reloc` section. What is the primary implication of a missing relocation section for this executable?

Accepted Answer

The executable cannot be loaded if its preferred base address is already in use by another module.

Answer

The file is a Dynamically Linked Library (DLL), not an executable.

Answer

The file's import table is encrypted and must be manually reconstructed.

Answer

The executable is packed and will rebuild the relocation table in memory at runtime.

Question 6

An analyst is investigating a rootkit that intercepts file system operations. They notice that whenever a process calls `CreateFileW`, a malicious logging function is executed first before the legitimate API function is called. This is achieved by overwriting the function's address for `CreateFileW` within the process's memory. Which technique specifically modifies these function pointers to redirect execution?

Accepted Answer

IAT Hooking

Answer

Process Doppelgänging

Answer

API Hashing

Answer

Thread Local Storage (TLS) Callback Injection