GREM - Giac Reverse Engineering Malware Malicious Executable Analysis Questions and Answers

Question 1

An analyst is performing static analysis on a suspicious Windows executable. They observe a high-entropy section within the PE file and a very small import address table (IAT) that only lists functions like `LoadLibraryA` and `GetProcAddress`. Which of the following techniques has the malware likely employed?

Accepted Answer

Packing or Encryption

Answer

High-entropy sections often indicate compressed or encrypted data. Packers compress or encrypt the original executable code and wrap it in an unpacking stub. This stub has a minimal IAT, often just containing `LoadLibraryA` and `GetProcAddress`, which it uses to dynamically resolve the necessary APIs to decompress/decrypt and execute the original malicious payload in memory. [22, 10]

Question 2

During dynamic analysis of a malicious executable in a debugger like x64dbg, a reverse engineer sets a breakpoint on `CreateRemoteThread`. What is the most likely activity the analyst is trying to observe?

Accepted Answer

The malware injecting code into the virtual address space of another process.

Answer

`CreateRemoteThread` is a Windows API call used to create a thread that runs in the virtual address space of another process. Malware frequently uses this API as part of a code injection technique, where it first writes malicious code into a remote process's memory (e.g., using `WriteProcessMemory`) and then uses `CreateRemoteThread` to execute that code. [15, 7]

Question 3

Which of the following is a primary advantage of performing static analysis with a disassembler like Ghidra or IDA Pro over dynamic analysis in a sandbox?

Accepted Answer

It allows for the examination of code without the risk of executing the malware and infecting the system. [2, 5]

Answer

Static analysis involves examining the executable file without running it. [2] This is its fundamental advantage in terms of safety, as the malicious code is never executed, preventing any potential damage or infection to the analysis environment. [5] Dynamic analysis, by contrast, requires running the malware in a controlled environment, which always carries some level of risk. [1, 24]

Question 4

A malware analyst is examining the PE header of a suspicious file and wants to identify the external functions it calls from system libraries. Which part of the PE structure should they focus on?

Accepted Answer

The Import Address Table (IAT)

Answer

The Import Address Table (IAT) is a crucial part of the PE header that lists all the functions the executable imports from external DLLs (Dynamic Link Libraries). [14, 17] Analyzing the IAT is a key static analysis technique to understand the potential capabilities of a malicious executable, such as file manipulation, network communication, or registry modification, based on the Windows APIs it intends to use. [5, 17]

Question 5

A reverse engineer is analyzing a malware sample and suspects it establishes persistence by modifying a registry key that causes it to execute on system startup. Which of the following Windows API calls would be most indicative of this behavior?

Accepted Answer

RegSetValueExW

Answer

The `RegSetValueExW` function is a Windows API call used to set the data and type of a specified value under a registry key. [16] Malware commonly uses this API to write to well-known 'Run' keys (e.g., `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`) to ensure it is automatically executed every time the user logs on, thereby achieving persistence. [36]

(GREM) Giac Reverse Engineering Malware Practice Test

(GREM) Giac Reverse Engineering Malware Practice Test

GREM - Giac Reverse Engineering Malware Malicious Executable Analysis Questions and Answers