Chapter 32 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and rationale at the bottom. Commit to an answer before you scroll — malware analysis rewards deciding, then checking.


Multiple choice

Q1. The single most important habit before detonating a sample in your analysis VM is to: - A) Disable Windows Defender so it does not interfere - B) Take a clean VM snapshot you will revert to afterward - C) Connect the VM to the real internet so the C2 responds - D) Rename the sample back to its original .exe name

Q2. You are analyzing the implant from a targeted intrusion. The correct way to use a service like VirusTotal is to: - A) Upload the sample so dozens of AV engines can scan it - B) Look up the file's hash, but not upload the sample itself - C) Upload the sample and the memory image for full context - D) Post the C2 address publicly to warn other defenders

Q3. Two samples have completely different SHA-256 hashes but an identical imphash. This most likely means they: - A) Suffered a hash collision - B) Were built from the same source/compiler and import the same functions in the same order — likely variants of one family - C) Are byte-for-byte identical files - D) Have no relationship whatsoever

Q4. A PE section with a Shannon entropy of 7.9 bits/byte most strongly indicates: - A) Normal, structured x86-64 machine code - B) A block of plain ASCII strings - C) Compressed or encrypted data — a packed section or an embedded encrypted payload - D) An empty, zero-filled section

Q5. The import trio VirtualAllocEx + WriteProcessMemory + CreateRemoteThread is the classic signature of: - A) Keylogging - B) Process injection into another process - C) Run-key persistence - D) Network beaconing

Q6. On David Bianco's Pyramid of Pain, which indicator is the most trivial for an attacker to change, and therefore the least durable detection? - A) A TTP (a behavior) - B) A file hash - C) A mutex name - D) A host artifact such as a named pipe

Q7. In a YARA rule, the condition uint16(0) == 0x5A4D ensures that the file: - A) Is smaller than 2 MB - B) Begins with the bytes "MZ" (i.e., is a DOS/PE executable) - C) Contains the string /gate - D) Has a high-entropy resource section

Q8. A malware lab points the sample at a simulated internet (INetSim / FakeNet-NG) rather than no network at all, primarily because: - A) The real internet is needed for Regshot to function - B) Most malware does little if it cannot reach its C2; faking the services makes its network behavior observable while no packet leaves the lab - C) It lets the malware safely download its own updates - D) It makes the VM run faster

Q9. A persistence mechanism that stores its trigger and payload inside the WMI repository rather than as a file on disk is notable because it is: - A) Genuinely impossible to detect - B) "Fileless" — it survives reboot and leaves no executable for a file scan, yet is enumerable in the root\subscription namespace - C) Used only on Linux systems - D) Automatically removed at every reboot

Q10. An analyst writes, "the binary imports CreateRemoteThread, WriteProcessMemory, and VirtualAllocEx." From static analysis alone, the most defensible claim is: - A) "The malware injected code into explorer.exe." - B) "The binary has the capability to perform process injection." - C) "This sample is the work of threat group X." - D) "The malware stole the user's credentials."


True/False

Q11. Static analysis of a sample proves what the malware actually did during this specific incident. (True / False)

Q12. Logging into the attacker's C2 server to retrieve stolen data or "take it down" can itself violate the Computer Fraud and Abuse Act. (True / False)


Short answer

Q13. In one or two sentences, explain why an analyst looks up the hash but does not upload the sample during a targeted intrusion.

Q14. Name three Windows persistence mechanisms malware commonly uses, and for each give one place a responder would look to find it.

---

Answer key

Q1 — B. The snapshot is what makes the VM disposable: you revert to a known-clean state after each detonation so the malware cannot accumulate or persist across runs. (A) is wrong — you monitor, you do not blind yourself; (C) is dangerous and tips off the operator; (D) is done at the moment of detonation, not the most important safety habit.

Q2 — B. A hash lookup reveals nothing new to the attacker; an upload can become visible to the platform's customers — including actors who monitor for their own hashes — letting them burn infrastructure and rotate C2. Reserve uploads for clearly commodity malware.

Q3 — B. The imphash is a hash of the PE import table; samples from the same source/compiler import the same functions in the same order, so a shared imphash links variants whose content hashes differ. It is one of the cheapest attribution signals there is.

Q4 — C. Randomness near the 8.0 ceiling is the fingerprint of compression or encryption — a packer or an embedded encrypted payload. Ordinary code lands around 6.0–6.5; plain data and tables are lower.

Q5 — B. Allocate memory in a remote process (VirtualAllocEx), write code into it (WriteProcessMemory), and run it there (CreateRemoteThread) — the canonical process-injection sequence, used in WEB-07 against explorer.exe.

Q6 — B. Hashes sit at the bottom of the pyramid: a one-byte change and a recompile produce a brand-new hash, so a hash confirms a specific file but never catches the next variant. TTPs (A) sit at the top — hardest to change.

Q7 — B. 4D 5A ("MZ") read little-endian is 0x5A4D; the check confirms the file starts like a real executable. Paired with uint32(uint32(0x3C)) == 0x00004550 (the PE\0\0 at e_lfanew), it keeps the rule from firing on non-PE files.

Q8 — B. Most malware sleeps or exits if its C2 is unreachable, so a no-network lab shows little; the fake services answer DNS/HTTP/etc., the malware believes it reached its operator and reveals its full network behavior, and nothing escapes the isolated network.

Q9 — B. A WMI event subscription (__EventFilter + CommandLineEventConsumer + __FilterToConsumerBinding) stores its logic in the WMI repository, not as an .exe — "fileless" persistence that defeats naive file scans but is still enumerable in root\subscription (theme three: even fileless leaves a trace).

Q10 — B. Imports prove capability, not behavior. The presence of the injection API set supports "the binary can perform process injection"; that it did inject, into what, requires dynamic analysis or memory evidence. (C) is an intelligence assessment, not a forensic finding.

Q11 — False. Static analysis reveals what a program can do — its imports, strings, and structure — not what it did in this incident, and a packed sample may hide nearly everything from static methods. Behavior claims belong to dynamic analysis and memory forensics.

Q12 — True. Possessing and analyzing malware under authorization is lawful and routine, but knowingly accessing the attacker's C2 without authorization — to "hack back" or retrieve data — can violate 18 U.S.C. § 1030. If the infrastructure is abroad, the lawful route runs through MLAT and law enforcement, not your keyboard.

Q13 — Upload OPSEC. Because uploaded samples can become visible to the threat actor (who may monitor for their own hashes), an upload can burn your detection and prompt the operator to rotate infrastructure and go dark; a hash lookup gives you the same intel (known/unknown, family, first-seen) while revealing nothing new to the attacker. Look up the hash; upload only commodity samples.

Q14 — Persistence (any three). Acceptable answers include: Registry Run keysHKCU\...\CurrentVersion\Run and HKLM\...\Run; Windows ServiceHKLM\SYSTEM\CurrentControlSet\Services\<name>\ImagePath, plus Event ID 7045; Scheduled TaskC:\Windows\System32\Tasks\<name> and the TaskCache registry / schtasks /query; WMI event subscriptionroot\subscription namespace; Startup folder%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. (Full credit for any three with a correct location.)

Scoring: 13–14 correct — you can run a malware analysis and defend its findings. 10–12 — solid; revisit capability-vs-behavior (Q10, Q11) and the Pyramid of Pain (Q6). 7–9 — re-read "Static analysis" and "Indicators of compromise." 6 or fewer — work the chapter again before the Progressive Project; these decisions get made on live samples, where the wrong one burns an investigation or your lab.