Chapter 18 Quiz: Malware Analysis¶

C — Static analysis

Static analysis examines a file's content without executing it — using tools like strings to extract readable text, PEiD or Detect-It-Easy to identify packers/compilers, and pestudio to inspect PE headers, imports, and embedded resources. This is the first-pass triage step before committing to dynamic execution in a sandbox.

B — The binary is packed or uses dynamic API resolution to hide its true capabilities from static analysis

LoadLibraryA and GetProcAddress are the two APIs needed to dynamically load any DLL and resolve any function at runtime. A minimal import table with just these two is a strong indicator that the malware resolves its actual imports at runtime (possibly from an encrypted API hash table), deliberately hiding its functionality from import-based static analysis and AV signatures.

B — Persistence via Winlogon key hijacking

The Userinit registry value specifies executables run by Winlogon during user logon. Appending a malicious binary path to this value (e.g., userinit.exe,C:\malware.exe) is a well-documented persistence technique (MITRE ATT&CK T1547.004). It executes on every user logon and is often used by banking trojans and RATs.

B — That the first two bytes of the file are 'MZ', identifying it as a Windows PE executable

0x5A4D is the little-endian representation of the ASCII bytes 'M' (0x4D) and 'Z' (0x5A) — the "MZ" magic bytes that begin every Windows PE file header. YARA's uint16(0) reads a 16-bit unsigned integer at offset 0. This is a fundamental YARA building block for targeting PE-format files.

B — A dropper writes a second-stage payload to disk and executes it; a loader injects or maps a payload directly into memory without writing to disk

The distinction has significant detection implications: droppers create artifacts on disk that can be recovered and analyzed, while loaders (sometimes called "fileless" loaders) inject shellcode or PE files directly into memory — leaving no file-based indicators and evading file-scanning AV. Modern malware families increasingly use loaders as the first stage to deliver in-memory payloads.

B — Classic remote process injection (T1055.001)

The VirtualAlloc → WriteProcessMemory → CreateRemoteThread sequence is the textbook implementation of remote process injection: allocate memory in the target process, write shellcode or a DLL path into it, then create a remote thread to execute it. This is one of the most commonly reversed injection patterns and is a foundational technique taught in reverse engineering courses.

B — Timing-based anti-debugging (RDTSC/GetTickCount delta checks)

Malware uses RDTSC (Read Time-Stamp Counter) or GetTickCount to record timestamps at two points and compare the delta. Under normal execution the delta is microseconds; under debugging where an analyst has set breakpoints or is single-stepping, the delta is seconds or minutes. If the delta exceeds a threshold, the malware exits, alters behavior, or self-destructs.

B — The MBR destruction prevents the system from booting, and without a backup the disk's partition table and boot loader are irrecoverable from that location

Wipers that overwrite the MBR (as seen in WhisperGate, NotPetya, and Shamoon) cause immediate system unavailability: the BIOS/UEFI cannot locate the boot loader, and the partition table is gone. Recovery requires re-imaging from backup. This technique is used by destructive threat actors to cause maximum disruption rather than financial gain.

C — Wireshark

Wireshark captures live network traffic during sandbox execution, allowing analysts to inspect C2 beaconing intervals, protocol details, HTTP request headers, DNS queries, and embedded strings in network payloads. This produces network-based IOCs (IP addresses, domains, URL patterns, User-Agent strings, JA3 TLS fingerprints) that can be operationalized in detection rules.

B — CreateProcess (suspended) → NtUnmapViewOfSection → VirtualAllocEx → WriteProcessMemory → SetThreadContext → ResumeThread

Process hollowing (T1055.012) creates a legitimate process in a suspended state, unmaps its memory contents, writes malicious code into the now-empty process space, updates the thread context to point to the malicious entry point, then resumes the thread. The result is a legitimate process name (e.g., svchost.exe) executing malicious code — a strong AV/EDR evasion technique.