Module 12 - Dynamic Malware Analysis

As opposed to static analysis, _________________ involves running the malware in a controlled environment to monitor how it would interact with the system resources and whether it includes any network capabilities.

Dynamic malware analysis

What refers to the process of studying the behavior of a malware by running it in a monitored environment? The environment design should include tools that can capture every movement of a malware in detail and provide feedback to the investigator. Mostly, virtual systems act as a base for conducting such experiments.

Dynamic malware analysis

Malware Analysis: Dynamic: Investigators use the dynamic analysis to gather valuable information about malware activities, _____________________

Including files and folders created, ports and URLs accessed, called functions and libraries, applications and tools accessed, information transferred, settings modified, and processes and services started by the malware.

Malware Analysis: Dynamic: True or False: An investigator should design and setup the environment for performing dynamic analysis in such a way that the malware cannot propagate to the production network, and the testing system can return to a previously set timeframe in case anything goes wrong during the test.

True

Malware Analysis: Dynamic: Dynamic malware analysis can be performed in two ways. Which of the following are those options?

Monitoring Host Integrity and Observing Runtime Behavior

Malware Analysis: Dynamic: What is the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents?

Monitoring Host Integrity

Malware Analysis: Dynamic: What approach involves taking a snapshot of the system before and after the execution of the malicious specimen using the same tools and analyzing the changes to evaluate its impact on the system and its properties?

Monitoring Host Integrity

Malware Analysis: Dynamic: What involves investigators monitoring the malicious activities of the specimen as it runs on the system to observe the malware in a runtime environment enables investigators to see how it interacts with the system and the network in real-time, which helps them detect its actual functionality and purpose?

Observing Runtime Behavior

Dynamic Malware Analysis: Pre-Execution Preparation:

As dynamic malware analysis requires the running of a malware, you need to build a proper test environment best suited for this purpose. The procedure for preparing a testbed for dynamic malware analysis is which of the following?

Create a fresh baseline of both Windows and Linux workstations, which should include details of the file system, registry, running processes, event log files etc.

Dynamic Malware Analysis: Pre-Execution Preparation:

As dynamic malware analysis requires the running of a malware, you need to build a proper test environment best suited for this purpose. The procedure for preparing a testbed for dynamic malware analysis is which of the following?

You can compare this baseline state with the system's state after executing the malware. This will help in understanding the changes the malware has made across the system.

Dynamic Malware Analysis: Pre-Execution Preparation:

As dynamic malware analysis requires the running of a malware, you need to build a proper test environment best suited for this purpose. The procedure for preparing a testbed for dynamic malware analysis is which of the following?

List down all device drivers, Windows services, and startup programs

Dynamic Malware Analysis: Pre-Execution Preparation:

As dynamic malware analysis requires the running of a malware, you need to build a proper test environment best suited for this purpose. The procedure for preparing a testbed for dynamic malware analysis is which of the following?

Install the tools that would be used to capture the changes performed by the malware on the network properties and other system resources, such as file system, registry, and processes

Dynamic Malware Analysis: Pre-Execution Preparation:

As dynamic malware analysis requires the running of a malware, you need to build a proper test environment best suited for this purpose. The procedure for preparing a testbed for dynamic malware analysis is which of the following?

Generate hash values of the OSes and tools used

Dynamic Malware Analysis: Pre-Execution Preparation:

As dynamic malware analysis requires the running of a malware, you need to build a proper test environment best suited for this purpose. The procedure for preparing a testbed for dynamic malware analysis is which of the following?

Run the malware that has been collected from the suspect machines onto the forensic workstations and begin the monitoring

Monitoring Host Integrity: For host integrity monitoring, ______________________

Investigators must take a snapshot of the baseline state of the forensic workstation prior to the malware execution.

Monitoring Host Integrity: Upon the establishment of the baseline, which has already been done for the Windows workstation as a part of the pre-execution preparation, investigators need to do which of the following?

Run the malware on the Windows workstation for a certain period and take a second snapshot of the workstation

Monitoring Host Integrity: Upon the establishment of the baseline, which has already been done for the Windows workstation as a part of the pre-execution preparation, investigators need to do which of the following?

Compare the second snapshot with the baseline to detect the changes made to the system properties by the malware, such as file systems and registry keys

Monitoring Host Integrity: Investigators can use tools like ______________ that allows the capture and comparison of the system states before and after the malware execution

WhatChanged Portable

Monitoring Host Integrity: What scans for modified files and registry entries and lists them in text file format? The tool should run in the background while the malware is running on the workstation to record changes in the file system and registry.

WhatChanged Portable

Monitoring Host Integrity: What is a system utility that scans for modified files and registry entries? It is useful for checking program installations. _____________ can run from a cloud folder, external drive, or local folder without installing into Windows and uses the 'brute force method' to check files and the registry.

WhatChanged Portable

Monitoring Host Integrity: There are two steps for using WhatChanged Portable. Which of the following are the two steps?

Take a snapshot to get the current state of the computer and Run it again to check the differences since the previous snapshot

Observing Runtime Behavior: ______________ of a malware sample refers to the execution of the malware on forensic workstation and observing its operations in realtime to understand its intent and functionality.

Observing runtime behavior

Observing Runtime Behavior: What involves monitoring the changes on operating system resources upon malware execution?

System Behavior Analysis

Observing Runtime Behavior: System behavior analysis includes the monitoring the changes in which of the following system components after the execution of the malware?

Monitoring registry artifacts

Monitoring processes

Monitoring services and startup folders

Examining event logs

Monitoring API calls

Monitoring device drivers

Monitoring files and folders

Observing Runtime Behavior: What involves tracking the malware’s network-level activities?

Network Behavior Analysis

Network behavior analysis includes the monitoring of which of the following network properties?

Monitoring IP Addresses

Looking for Connected Ports

Examining the DNS Entries