Unit 6 - Practice Quiz

INT250 50 Questions
0 Correct 0 Wrong 50 Left
0/50

1 What is the primary definition of malware in the context of digital evidence analysis?

A. Software designed to improve system performance
B. Network protocols used for secure communication
C. Hardware components that fail due to overheating
D. Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system

2 Which of the following is a common technique used by attackers to spread malware via email?

A. Phishing
B. Port Scanning
C. SQL Injection
D. Packet Sniffing

3 What is a 'Drive-by Download'?

A. Downloading software from a physical drive
B. Copying files from a USB stick
C. Manually downloading a file from an email
D. Unintended download of malicious code by visiting a compromised website

4 Which term describes malicious advertisements used to distribute malware?

A. Adware
B. Malvertising
C. Ransomware
D. Spyware

5 What is the primary goal of Malware Forensics?

A. To understand the capabilities, origin, and impact of a malicious sample
B. To repair broken hardware
C. To increase network speed
D. To design new antivirus software

6 Which analysis type involves examining the malware without executing it?

A. Static Analysis
B. Memory Forensics
C. Behavioral Analysis
D. Dynamic Analysis

7 Which environment is most recommended for performing malware analysis to prevent infection of the host system?

A. A public Wi-Fi network
B. An isolated Virtual Machine (VM) or Sandbox
C. Production Server
D. The analyst's personal laptop

8 In Static Analysis, what is the purpose of calculating the file hash (MD5, SHA256)?

A. To identify the file uniquely and check against databases like VirusTotal
B. To execute the file safely
C. To compress the file size
D. To decrypt the file

9 What tool is commonly used in static analysis to extract readable text strings from a binary?

A. Wireshark
B. Process Monitor
C. Fiddler
D. Strings

10 What does 'packing' refer to in the context of malware?

A. Bundling malware with legitimate software
B. Zipping a file for email
C. Compressing or encrypting the executable to hide its code and evade detection
D. Adding more features to the malware

11 Which file format is the standard executable format for Windows, often analyzed during malware forensics?

A. APK
B. Mach-O
C. PE (Portable Executable)
D. ELF

12 When analyzing a suspicious PDF, what specific element is often looked for as a vector for malicious code?

A. Page margins
B. Text formatting
C. JavaScript
D. Image resolution

13 What is a common indicator of a malicious Microsoft Word document?

A. The document having a .docx extension
B. The file size being under 1MB
C. The use of Arial font
D. The presence of VBA Macros (Visual Basic for Applications)

14 Which tool is specifically designed to analyze the structure of OLE (Object Linking and Embedding) streams in Office documents?

A. Burp Suite
B. Oledump.py
C. Metasploit
D. Nmap

15 What is 'Dynamic Malware Analysis'?

A. Scanning the file with an antivirus
B. Running the malware in a controlled environment to observe its behavior
C. Reading the source code
D. Checking the file creation date

16 Which of the following is a risk associated with Dynamic Analysis?

A. The malware might detect the virtual environment and stop running
B. It is only useful for text files
C. It requires access to the source code
D. It cannot identify network traffic

17 What is the function of a 'snapshot' in a virtual machine during malware analysis?

A. To print the code
B. To save the state of the VM so it can be reverted after infection
C. To record the network traffic
D. To take a picture of the malware author

18 Which tool is widely used to monitor real-time file system, registry, and process activity on Windows?

A. Putty
B. VLC
C. Process Monitor (ProcMon)
D. FileZilla

19 In dynamic analysis, what does observing a change in the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' registry key usually indicate?

A. The malware is establishing persistence to run on startup
B. The system is updating
C. The screen resolution is changing
D. The browser is clearing cache

20 What is 'Process Injection'?

A. Code belonging to one process being written into the address space of another process
B. Installing a new process via CD
C. Stopping a process efficiently
D. Monitoring a process for errors

21 What is a 'Mutex' (Mutual Exclusion) object often used for by malware?

A. To connect to the internet
B. To delete system logs
C. To ensure only one instance of the malware runs at a time
D. To encrypt user files

22 Which network behavior is characteristic of C2 (Command and Control) communication?

A. Periodic 'beaconing' signals to an external server
B. Windows Update downloads
C. Local printing traffic
D. High bandwidth video streaming

23 What is the purpose of using 'FakeNet' or 'INetSim' during dynamic analysis?

A. To hack into the malware author's computer
B. To simulate internet services (DNS, HTTP) so malware thinks it is online
C. To block all network traffic permanently
D. To increase internet speed

24 What is a Fileless Malware attack?

A. Malware that only targets empty files
B. Malware that exists primarily in memory without writing an executable file to the disk
C. Malware transmitted via paper
D. Malware that deletes all files on a drive

25 Which term refers to legitimate system tools (like PowerShell) abused by fileless malware?

A. Bloatware
B. Shareware
C. Firmware
D. LOLBins (Living off the Land Binaries)

26 Which of the following is a common entry point for fileless malware?

A. Connecting a printer
B. Installing a fresh OS
C. A physical CD-ROM
D. Exploit kits targeting browser vulnerabilities

27 What is the role of WMI (Windows Management Instrumentation) in fileless attacks?

A. It manages the mouse pointer
B. It can be used to execute scripts and maintain persistence without files
C. It is used for graphics rendering
D. It acts as a firewall

28 How does Domain Generation Algorithm (DGA) help malware?

A. It generates strong passwords for the user
B. It generates random domain names to rendezvous with the C2 server, evading blacklists
C. It encrypts the hard drive
D. It speeds up the infection process

29 Which tool is best suited for capturing and analyzing network packets during malware analysis?

A. RegEdit
B. Wireshark
C. Notepad++
D. Resource Hacker

30 What is 'import hashing' (Imphash)?

A. Hashing the network traffic
B. Hashing the user's password
C. Hashing the file name
D. Hashing the list of imported functions to identify related malware samples

31 What is a 'Trojan Horse'?

A. Hardware used to steal data
B. Self-replicating malware
C. Malware disguised as legitimate software to mislead users of its true intent
D. Malware that locks the screen

32 Which component of the PE header contains information about the compilation time of the malware?

A. Pointer to Symbol Table
B. Machine Type
C. Time Date Stamp
D. Subsystem

33 What does the term 'Obfuscation' mean in malware analysis?

A. Making the code difficult for humans and analysis tools to understand
B. Translating the code to English
C. Highlighting important code sections
D. Deleting the code

34 In the context of PDF analysis, what is a '/OpenAction'?

A. A command to close the file
B. A font style
C. A command that specifies an action to perform immediately upon opening the document
D. A permission setting

35 What is 'Sandboxing'?

A. Automated dynamic analysis in a secure environment
B. Playing a game
C. Cleaning the computer case
D. Encrypting a hard drive

36 Which of the following is a symptom of Ransomware?

A. Files are encrypted and a payment note is displayed
B. The web browser opens multiple tabs
C. The mouse moves slowly
D. The computer shuts down randomly

37 What is the primary difference between a Virus and a Worm?

A. Viruses require a host file and user action to spread; Worms are self-replicating and spread automatically
B. Viruses are hardware-based
C. Worms are only for Linux
D. Viruses encrypt files; Worms delete them

38 Why might an analyst check 'Imported Functions' (Imports) in the PE header?

A. To guess what the malware is capable of (e.g., networking, file manipulation)
B. To see the icon
C. To see the file size
D. To check the author's name

39 What does 'Shellcode' refer to in a malicious document?

A. Machine code payload used to exploit a vulnerability
B. The password protection
C. The name of the file
D. The visual layout of the document

40 Which tool allows an analyst to view active TCP and UDP connections in real-time on the host?

A. Notepad
B. Paint
C. Calculator
D. TCPView

41 What is 'DLL Injection'?

A. Scanning DLLs for viruses
B. Forcing a process to load a malicious Dynamic Link Library (DLL)
C. Renaming a DLL file
D. Removing a DLL file

42 What is the 'AutoOpen' macro in Word?

A. A macro that runs automatically when a document is opened
B. A macro that prints the file
C. A macro that changes the font
D. A macro that saves the file

43 How can fileless malware persist using the Windows Registry?

A. By changing the desktop background
B. By disabling the mouse
C. By deleting the registry
D. By storing malicious scripts in registry keys and invoking them via PowerShell

44 Which network protocol is commonly abused for data exfiltration because it is rarely blocked by firewalls?

A. DNS (Domain Name System)
B. DHCP
C. ARP
D. ICMP

45 What is the purpose of 'API Hooking' in malware?

A. To intercept function calls between the system and applications to modify or monitor behavior
B. To speed up the internet
C. To organize files
D. To fix bugs in Windows

46 Which section of a PE file typically contains the executable code?

A. .text
B. .reloc
C. .data
D. .rsrc

47 When analyzing a suspicious URL found in malware, what should an analyst do?

A. Ignore it
B. Open it in their personal browser immediately
C. Email the URL to friends
D. Investigate it using reputation services or a safe sandbox environment

48 What is the primary characteristic of a 'Rootkit'?

A. It is designed to hide the existence of certain processes or programs from normal detection methods
B. It displays ads
C. It spreads via USB
D. It encrypts files

49 What is 'Entropy' used for in static malware analysis?

A. To measure the randomness of data, helping identify packed or encrypted code
B. To measure the network speed
C. To measure the file temperature
D. To count the lines of code

50 Why is 'PowerShell' a frequent target for fileless malware?

A. It is a web browser
B. It is not installed on most computers
C. It has deep access to the Windows API and system management functions without needing new binaries
D. It is a game engine