Malware Analysis Techniques Quiz

Questions and Answers

What is the main purpose of Basic Static Analysis?

To determine if a file is malicious and gather more information (correct)

To run malware in a safe environment

To reverse-engineer the malware

To execute the file and observe its actions

Advanced Static Analysis requires specialized knowledge in disassembly and code structures.

True

What is a limitation of Basic Static Analysis?

It can't detect complex malwares.

Basic Dynamic Analysis involves running the malware in a ______ to observe its actions.

safe execution environment

Match the malware analysis techniques with their corresponding limitations or characteristics:

Basic Static Analysis = Sometimes can't detect complex malwares Advanced Static Analysis = Requires specialized knowledge in disassembly Basic Dynamic Analysis = Not effective against all types of malwares

Which of the following statements best describes Basic Dynamic Analysis?

It involves running malware to observe its actions in a secure environment.

What is the purpose of Advanced Static Analysis?

To provide a detailed understanding of what the malware does.

What does a hash-based signature represent in malware detection?

A simple, unique hash generated from the malware binary

Behavioral-based signatures identify malware based on static attributes.

False

Name one automated tool used in malware detection.

YARA

Malware authors often use ______ techniques to generate new code.

polymorphism

Match the following signature types to their characteristics:

Hash-Based Signatures = A simple, unique hash generated from the malware binary Behavioral-Based Signatures = Identify specific behaviors of malware Code Pattern Signatures = Unique assembly instructions characteristic of malware families YARA = Rule-based pattern-matching tool for malware signatures

What is one characteristic of decompilation?

The output resembles the original source code.

Dynamic analysis can reveal hidden functionalities of malware.

True

What is the primary objective of dynamic analysis?

To analyze malware's runtime behavior.

In a sandbox environment, malware behavior is observed in a ______ to prevent it from affecting real systems.

virtualized environment

Match the techniques of dynamic analysis with their descriptions:

Sandboxing = Isolating malware execution Debugging = Step-by-step program execution Memory analysis = Examining memory usage Monitoring system changes = Tracking alterations in the system

Which of the following tools is used for decompilation?

Ghidra

Decompilation always produces perfect and complete results.

False

What is a common file format used in Windows executables?

PE (Portable Executable)

Dynamic analysis often involves techniques such as ______ and monitoring network activity.

sandboxing

Which of these methods allows analysts to detect malware behaviors not visible through static analysis?

Dynamic analysis techniques

What is the primary purpose of a sandbox during execution?

To isolate the executed file from the real system

Monitoring in a sandbox includes tracking file modifications, process creation, registry changes, and network activity.

True

What are the key metrics included in the report generated after sandbox execution?

File system changes, network communication, registry modifications, process injection

In debugging, the process of analyzing a program by running it step-by-step is called __________.

debugging

Which statement best describes 'stepping' in the context of malware debugging?

Executing code one instruction at a time

Code manipulation during runtime allows analysts to observe how changes affect a malware's behavior.

True

Name one popular debugging tool used for analyzing malware.

OllyDbg

Memory analysis is focused on examining a system's ________ to find malware-related artifacts.

memory (RAM)

Match the debugging techniques with their descriptions:

Breakpoints = Pause malware execution to inspect state Stepping = Execute code one instruction at a time Step-Over = Execute without stepping into functions Step-Into = Observe execution of function calls

Which of the following is NOT a key objective of memory analysis?

Generating performance reports

What is the purpose of the EFLAGS register?

To indicate the status of operations performed by the CPU

The carry flag (CF) is set when the result of an operation is zero.

False

What is dynamic memory allocation and which functions are commonly used for it?

Dynamic memory allocation is the process of allocating memory at runtime using functions like malloc() and free().

The __________ is used to track the next instruction to execute in the CPU.

instruction pointer

Match the following flags with their descriptions:

ZF = Set when the result is zero CF = Set when the result is too large or too small SF = Indicates if the result is negative TF = Used for debugging and single instruction execution

Which of the following describes the relationship between RAM and the CPU in the Von Neumann architecture?

CPU executes instructions from RAM and stores results in RAM.

Registers are used by the CPU to hold instructions and data temporarily.

True

What is the main function of the arithmetic logic unit (ALU) in a CPU?

The ALU executes arithmetic and logic operations.

In x86 architecture, segment registers are used to track __________ of memory.

sections

Which of the following is NOT a category of x86 registers?

Memory registers

Study Notes

Malware

• Malware is software intentionally designed to harm or exploit programmable devices, services, or networks.

Types of Malware

• Backdoor: Gives attackers access to a system, allowing them to run commands.
• Botnet: Similar to backdoor, providing attacker access, but all affected machines receive commands from a central server.
• Downloader: Downloads other malicious software.
• Information-stealing malware: Collects data from a victim machine, including password information from online accounts.
• Launcher: A program that launches other malware.
• Rootkit: Hides malware in a machine.
• Scareware: Tricks users into purchasing fake software by presenting alarming messages.
• Spam-sending malware: Infects machines and uses them to send spam emails.
• Worm or virus: Malicious software that replicates itself and spreads to other computers.

Malware Analysis

• Malware analysis is the process of understanding how malware works, identifying it, and how to defeat or eliminate it.
• Advanced skills are not required to perform malware analysis.

Malware Analysis Techniques

• Static Analysis: Examining malware without executing it to identify characteristics.
• Dynamic Analysis: Running malware in a controlled environment to observe its behavior.

Malware Analysis Environments

• Virtual Machine: Is a controlled setup that runs and analyses malware safely.
• Sandbox: Is a virtualized environment that isolates malware execution from affecting real systems.

Static Analysis Techniques

• File Signature Analysis: Identifies the type and structure of a file (e.g., .exe).
• Analyzing file headers and sections (e.g., a Portable Executable [.exe] or [.dll]) to reveal information about the file.

Dynamic Analysis Techniques

• Sandboxing: Running malware in a safely isolated virtual environment to observe its behaviour without harming the host machine.
• Debugging: Executing malware step-by-step, setting breakpoints, and inspecting its status.

Reverse Engineering

• Reverse engineering is the process of analyzing a system, software, or hardware to understand its design, functionality, and operation by disassembling it into its individual components.

Importance of Reverse Engineering in Cybersecurity

• Malware Analysis: Understanding malware and identifying vulnerabilities.
• Threat Intelligence: Improving knowledge about threats.
• Incident Response: Faster response to security incidents.
• Forensic Investigations: Enabling investigations of security incidents.

Ethical and Legal Considerations in Malware Analysis

• Use gained knowledge for enhancing cybersecurity, not exploiting systems.
• Respecting sensitive information and adhering to legal and ethical boundaries.

Tools for Malware Analysis

• Disassembler: Converts executable code into readable assembly.
• Debugger: Allows malware to be executed step-by-step and monitors behavior.
• Hex Editors: Analyze binary files in hexadecimal format.

Instruction Set Architectures

• CPU architecture, instructions, registers, and data types
• Includes RISC (Reduced Instruction Set Computing) and CISC (Complex Instruction Set Computing)
• Describes memory management, dynamic memory allocation (using malloc and free), and data types.

Instruction Set Extensions

• SSE (Streaming SIMD Extensions) and AVX (Advanced Vector Extensions)
• Discusses how these extensions improve data manipulation and increase processing speed for large amounts of data.
• Shows examples of AVX and SSE instructions

Malware Analysis Steps

• Initial static analysis.
• Execution in a sandbox or VM.
• Debugging to trace execution flow.
• Memory analysis to identify payloads.
• Network analysis to capture external communications.

Common Malware Behaviors

• Downloader: Downloads additional malware.
• Launcher: Installs other malware.
• Backdoors: Provide remote access to a victim's system (e.g., for command and control or remote administration).
• Reverse Shells: Malware that connects from an infected machine to an attacker's machine.

Analyzing Network Communications of Malware

• Understanding how malware communicates with C2 servers.
• Using tools to track malware communications, filter HTTP traffic and track IP addresses for better analysis.

Malware Memory Forensics

• Analyzing memory dumps to identify malicious artifacts and hidden processes.

Malware Fuzzing

• Testing software by providing invalid or unexpected inputs to detect flaws.
• Helps to find bugs or vulnerabilities in the software.
• Exploits can cause unexpected behavior, crashes, or security vulnerabilities

Firmware Analysis

• Examining firmware code (e.g., BIOS, embedded systems) for malicious activity.
• Includes static and dynamic analysis techniques as well as tools.

Control Flow Analysis and Graphing

• Understanding the sequence and logical path of malware execution.
• Create a Control Flow Graph that shows the program's different logical paths.
• Identifying important loops and decision paths to determine the behavior of the malware.

Data Flow Analysis

• Examining how data values are generated, modified, and used across the program.
• Helps identify sensitive data (e.g., encryption keys) and how malware interacts with system resources.

Automated Threat Intelligence Analysis

• Information collection, processing, and analysis, improving cybersecurity.

Polymorphic and Metamorphic Malware

• Malicious software that changes its code or appearance upon infection; making it hard to detect.

Description

Test your knowledge on various malware analysis techniques including Basic and Advanced Static and Dynamic Analysis. This quiz covers key concepts, limitations, and characteristics of different analysis methods and tools used in malware detection.