GREM Malware Analysis Fundamentals Questions and Answers

Question 1

An analyst is performing static analysis on a suspected malicious executable. Which of the following activities would they most likely perform during this phase?

Accepted Answer

Examining the Portable Executable (PE) header to identify imported DLLs and functions.

Answer

Static analysis involves examining a malware sample without executing it. Analyzing the PE header provides valuable metadata about the file, such as the libraries (DLLs) it imports and the specific functions it uses from those libraries. This can give clues about the malware's capabilities (e.g., networking, file system manipulation) before running the code. The other options all involve executing the malware, which is characteristic of dynamic analysis.

Question 2

A malware analyst observes a program making calls to `RegSetValueExA`, `CreateServiceA`, and writing a file to the `C:\Windows\System32` directory. This behavior is most indicative of which malware characteristic?

Accepted Answer

Persistence

Answer

The observed actions are common techniques for establishing persistence on a Windows system. `RegSetValueExA` is used to modify the registry, and `CreateServiceA` creates a new service, both of which can be used to ensure the malware runs automatically after a reboot. Placing a file in a system directory like `System32` is also a common tactic for hiding malicious components that will be launched at startup. Data exfiltration involves sending data out, lateral movement involves spreading to other systems, and obfuscation involves hiding the code's true intent.

Question 3

During dynamic analysis, you notice that a malware sample first calls `IsDebuggerPresent` and then immediately terminates if the API call returns true. Which of the following best describes this technique?

Accepted Answer

Anti-analysis

Answer

This is a classic anti-analysis (specifically, anti-debugging) technique. The malware is actively checking if it is being run within a debugger or analysis environment. If it detects a debugger, it changes its behavior (in this case, by terminating) to prevent the analyst from observing its true malicious actions. Packing is a form of obfuscation, code injection involves running code in the context of another process, and polymorphism involves the malware changing its own code to avoid signature-based detection.

Question 4

An analyst encounters a piece of malware that has been disguised using a simple, single-byte XOR operation to hide its strings and configuration data. Which of the following is the most effective and common first step to reverse this obfuscation?

Accepted Answer

Perform a brute-force attack by XORing the data with every possible key from 0x00 to 0xFF.

Answer

Because a single-byte XOR uses one of only 256 possible keys (0x00 to 0xFF), a brute-force attack is computationally trivial and a very common first step. The analyst can quickly script a loop to XOR the entire encoded data blob with each possible key and look for readable ASCII strings or known file headers in the output. While other methods can work, this is often the fastest way to get an initial look at the hidden data.

Question 5

Which section of a Windows Portable Executable (PE) file typically contains the program's executable code?

Accepted Answer

.text

Answer

The `.text` section of a PE file is the standard location for the executable code (machine instructions) of the program. The `.rsrc` section contains resources like icons and images, the `.data` section contains initialized global and static variables, and the `.reloc` section contains information for relocation of addresses in memory.

(GREM) Giac Reverse Engineering Malware Practice Test

(GREM) Giac Reverse Engineering Malware Practice Test

GREM Malware Analysis Fundamentals Questions and Answers