GRID - GIAC Response and Industrial Defense ICS Malware Analysis Questions and Answers

Question 1

An analyst performs static analysis on a suspicious executable found on an HMI.
The analysis of embedded strings reveals hardcoded byte sequences corresponding to DNP3 function code 13 (Cold Restart) and object group 70 (File Transfer).
What is the MOST likely purpose of this malware?

Accepted Answer

To disrupt or manipulate the physical process by rebooting remote devices and altering device files.

Answer

To exfiltrate historical process data for industrial espionage.

Answer

To encrypt files on the HMI and demand a ransom payment.

Answer

To establish a persistent command and control channel using the DNP3 protocol for long-term access.

Question 2

A malware sample is suspected of targeting a specific Rockwell ControlLogix PLC. The malware does not execute its primary payload in a standard IT virtual machine sandbox. Which of the following environments would be MOST effective for dynamic analysis of the malware's full capabilities?

Accepted Answer

An isolated physical lab containing the targeted PLC model, an engineering workstation, and network monitoring tools.

Answer

A cloud-based sandbox with generic Windows and Linux virtual machines.

Answer

The production engineering workstation, with enhanced endpoint monitoring enabled.

Answer

A high-interaction IT honeypot designed to mimic enterprise services.

Question 3

During malware analysis, an investigator discovers a file with a '.ACD' extension being staged on a compromised engineering workstation. Why is this finding particularly significant in an ICS environment?

Accepted Answer

It is a project file for Rockwell Studio 5000, indicating the attacker is modifying or crafting PLC logic. [32]

Answer

It is a database file used by the HMI to store alarm and event logs.

Answer

It is a compressed archive containing malware components that will be unpacked at runtime.

Answer

It is a configuration file for the network communication driver, like RSLinx.

Question 4

Which of the following is a primary objective of malware specifically designed for an Operational Technology (OT) environment, distinguishing it from most traditional IT-focused malware?

Accepted Answer

Manipulation of physical processes to cause disruption or destruction.

Answer

Financial gain through data encryption and ransomware notes.

Answer

Large-scale theft of personally identifiable information (PII) for resale.

Answer

Creation of a botnet for use in Distributed Denial-of-Service (DDoS) attacks.

Question 5

An analyst is performing dynamic analysis on a malware sample in an isolated ICS lab. They observe the malware sending a specially crafted packet to a Siemens S7 PLC, which causes the PLC to enter a 'STOP' state. The malware then begins communicating with an external IP address. This behavior is a classic example of which ICS attack technique?

Accepted Answer

A denial of control attack followed by establishing command and control (C2).

Answer

A man-in-the-middle attack to intercept and modify process data.

Answer

A ransomware attack where the PLC is held hostage until a payment is made.

Answer

A supply chain compromise targeting the PLC vendor's update mechanism.

Question 6

When performing static analysis on a malware binary targeting an ICS environment, which of the following artifacts would be the STRONGEST indicator of its intended purpose?

Accepted Answer

Embedded strings referencing specific PLC memory addresses (e.g., %MW100, N7:10) or proprietary protocol function codes.

Answer

A list of common Windows registry keys used for persistence.

Answer

A high-entropy section indicating the use of a packer.

Answer

The presence of functions like 'CreateFile' and 'WriteFile' from the standard Windows API.