What's Your Malware Analysis Prowess?

10 Questions

Settings
Please wait...
What

Do your malware analysis or reverse-engineering skills need a tune-up? Take this quck quiz to assess your skills and perhaps learn something new in the process. Just because you're curious. The quiz is not meant to be hard. This fun quiz has been brought to you by SANS Institute's Reverse-Engineering Malware course and Lenny Zeltser.


Questions and Answers
  • 1. 
    What are the two most common phases of malware analysis? 
    • A. 

      Behavioral and code analysis

    • B. 

      Identification and containment analysis

    • C. 

      Registry and file system analysis

    • D. 

      User and kernel mode analysis

  • 2. 
    Which of the following tools best supports the concept of breakpoints?
    • A. 

      Debugger

    • B. 

      Disassembler

    • C. 

      Sniffer

    • D. 

      Logger

  • 3. 
    Which x86 register is most commonly used for storing a function's return value in assembler?
    • A. 

      ECX

    • B. 

      EIP

    • C. 

      EAX

    • D. 

      EFLAGS

  • 4. 
    In the context of malware analysis, what does the term "patching" refer to?
    • A. 

      Installing software updates that address vulnerabilities in installed software.

    • B. 

      Setting memory breakpoints by modifying access flags on memory segments.

    • C. 

      Stepping through the executable without running every instruction within function calls.

    • D. 

      Modifying a compiled executable to change its functionality without having to recompile it.

  • 5. 
    Which of the following assembly instructions is least likely to be used by malicious code to perform a jump?
    • A. 

      JMP

    • B. 

      XOR

    • C. 

      RET

    • D. 

      CALL

  • 6. 
    Which mechanism is malware least likely to use when defending itself against analysis?
    • A. 

      Inserting junk code instructions

    • B. 

      Employing polarization techniques

    • C. 

      Making use of "tricky" jump instructions

    • D. 

      Detecting the presence of a debugger

  • 7. 
    • A. 

      Employing fast-flux DNS techniques

    • B. 

      Embedding an imports table in the malicious executable

    • C. 

      Targeting client-side vulnerabilities

    • D. 

      Packing the malicious executable

  • 8. 
    • A. 

      Starting Point

    • B. 

      Point of Origin

    • C. 

      Entry Point

    • D. 

      Thread Origination Point

  • 9. 
    • A. 

      GetProcAddress

    • B. 

      VirtualAllocEx

    • C. 

      POP

    • D. 

      GetAsyncKeyState

  • 10. 
    Which of the following Windows registry keys is most useful for malware that aims at maintaining persistent presence on the infected system?
    • A. 

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    • B. 

      HKLM\SECURITY

    • C. 

      %UserProfile%\ntuser.dat

    • D. 

      HKCU\System\CurrentControlSet\Control\MediaProperties