CEH · topic practice

Cryptography and Malware Analysis practice questions

Practise Certified Ethical Hacker CEH Cryptography and Malware Analysis practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Cryptography and Malware Analysis

What the exam tests

What to know about Cryptography and Malware Analysis

Cryptography and Malware Analysis questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Cryptography and Malware Analysis exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Cryptography and Malware Analysis questions

20 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?

During a penetration test, an ethical hacker finds that a web application transmits sensitive data in plaintext over HTTPS. Which of the following best describes this security issue?

A company's internal PKI uses an offline root CA and an online issuing CA. A security engineer needs to revoke a compromised certificate issued by the online CA. Which CRL distribution point should the engineer update?

A security analyst suspects that a user's machine is infected with a keylogger. Which of the following is the most effective method to detect a hardware keylogger?

An ethical hacker is analyzing a piece of malware that uses a custom encryption algorithm. The malware sample contains a hardcoded key that is 16 bytes long. The analyst observes that the encrypted data is the same length as the plaintext. Which encryption mode is most likely being used?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

During a forensic investigation, an analyst finds that a malware sample uses a technique to detect if it is running in a sandbox by checking the number of CPU cores. The malware terminates execution if the core count is less than 2. Which anti-analysis technique is this?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to secure its email communications using digital signatures. Which cryptographic key does the sender use to sign the email?

Which TWO of the following are characteristics of a polymorphic virus? (Choose two.)

Which THREE of the following are types of cryptanalytic attacks? (Choose three.)

You are a security analyst for a medium-sized company. The company uses a custom web application for internal project management. The application uses AES-256-CBC for encrypting sensitive data stored in the database. Recently, the company experienced a data breach where an attacker exfiltrated the entire database. Although the data was encrypted, the attacker was able to decrypt some records. Investigation reveals that the encryption key is stored in a configuration file on the same server, and the initialization vector (IV) is hardcoded in the application code. Additionally, the application uses the same key for all records. Which of the following is the most effective remediation to prevent future decryption of stolen encrypted data?

Refer to the exhibit. An analyst suspects that the downloaded file 'update.exe' may have been tampered with. The vendor's official website lists the SHA256 hash as 4e7c2a8f9b3d1e5f6a0c8b7d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f. What should the analyst conclude?

Exhibit

Refer to the exhibit.

---
C:\> certutil -hashfile C:\Users\Admin\Downloads\update.exe SHA256
SHA256 hash of C:\Users\Admin\Downloads\update.exe:
4e7c2a8f9b3d1e5f6a0c8b7d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f
---

During a penetration test, a security analyst discovers that an organization's web application uses HTTP for login forms, potentially exposing credentials to interception. Which of the following is the BEST cryptographic control to implement to protect credentials in transit?

A security engineer needs to configure a web server to support Perfect Forward Secrecy (PFS) for HTTPS connections. Which of the following key exchange methods should be prioritized?

A malware analyst is investigating a suspicious executable that appears to be a Trojan. The analyst runs the executable in a sandbox and observes the following behavior: it creates a hidden file in the %AppData% directory, modifies the Windows registry to add a startup entry, and attempts to connect to an external IP address on port 443 using HTTPS. Which TWO of the following techniques are likely being used by this malware?

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a financial institution. The SOC has detected anomalous outbound traffic from a server in the DMZ to an unknown IP address on TCP port 8443. The server runs a custom application that normally communicates with internal databases on port 1433. The server's OS is Windows Server 2019. Preliminary analysis shows that a new service named 'UpdateSvc' was installed three days ago, set to start automatically, and runs under the LocalSystem account. The service binary is located at C:\Windows\System32\svchost.exe (the legitimate one). However, the service's 'ImagePath' registry key points to 'C:\Windows\System32\svchost.exe -k UpdateSvc'. Additionally, a scheduled task named 'HealthCheck' runs every hour and executes 'powershell.exe -EncodedCommand <base64>'. The encoded command decodes to a script that downloads a payload from the same unknown IP on port 8443 and executes it in memory. The server has antivirus installed that detected nothing. As the analyst, which of the following is the BEST immediate course of action?

An organization is investigating a potential malware infection. The security analyst observes unusual outbound connections to a known malicious IP address and finds a suspicious process running under a user's session. The analyst decides to perform memory analysis using Volatility. Which TWO commands would be most useful to identify the malicious process and its network connections?

Refer to the exhibit. A security analyst runs netstat on a compromised Windows machine. Based on the output, which process is most likely associated with the malicious activity?

Exhibit

Refer to the exhibit.

C:\Users\Admin>netstat -anob

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.10:49152     203.0.113.5:4444       ESTABLISHED     1234
  TCP    192.168.1.10:49153     198.51.100.20:80       TIME_WAIT       5678
  [svchost.exe]
  TCP    192.168.1.10:49154     203.0.113.5:4444       ESTABLISHED     1234
  [explorer.exe]

You are a security analyst for a financial institution. The company has deployed a network of 500 Windows 10 workstations and 50 servers running Windows Server 2019. All systems are protected by a next-generation firewall and an endpoint detection and response (EDR) solution. Recently, several employees reported that their workstations are running slowly and exhibiting unusual pop-up messages demanding a ransom note in Bitcoin. The EDR alerts show that a file named 'invoice.docm' was downloaded from an email attachment and executed on multiple workstations. The EDR also indicates that the file dropped a PowerShell script that connected to an external IP address and downloaded additional payloads. After the initial infection, the EDR detected that the ransomware binary 'encryptor.exe' was executed, which began encrypting files. However, the encryption process was stopped by the EDR before all files were encrypted. The incident response team needs to determine the source of the infection and prevent future occurrences. Which of the following is the most effective first step to identify the initial infection vector?

Question 19mediumdrag order
Read the full wireless explanation →

Drag and drop the steps to configure a wireless network with WPA2-Enterprise authentication on a Cisco AP into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each vulnerability assessment tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated vulnerability scanning

Open-source vulnerability scanner

Cloud-based vulnerability management

Network vulnerability scanner

Web server vulnerability scanner

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Cryptography and Malware Analysis sessions

Start a Cryptography and Malware Analysis only practice session

Every question in these sessions is drawn from the Cryptography and Malware Analysis domain — nothing else.

Related practice questions

Related CEH topic practice pages

Move into related areas when this topic feels solid.

Footprinting, Reconnaissance and Scanning practice questions

Practise CEH questions linked to Footprinting, Reconnaissance and Scanning.

Enumeration and System Hacking practice questions

Practise CEH questions linked to Enumeration and System Hacking.

Malware, Social Engineering and Network Attacks practice questions

Practise CEH questions linked to Malware, Social Engineering and Network Attacks.

Web Application and Injection Attacks practice questions

Practise CEH questions linked to Web Application and Injection Attacks.

Introduction to Ethical Hacking practice questions

Practise CEH questions linked to Introduction to Ethical Hacking.

Scanning Networks and Enumeration practice questions

Practise CEH questions linked to Scanning Networks and Enumeration.

Vulnerability Analysis and System Hacking practice questions

Practise CEH questions linked to Vulnerability Analysis and System Hacking.

Advanced Topics: Wireless, Cloud, IoT, Cryptography practice questions

Practise CEH questions linked to Advanced Topics: Wireless, Cloud, IoT, Cryptography.

Footprinting and Reconnaissance practice questions

Practise CEH questions linked to Footprinting and Reconnaissance.

Network and Web Application Attacks practice questions

Practise CEH questions linked to Network and Web Application Attacks.

Wireless, IoT and Cloud Security practice questions

Practise CEH questions linked to Wireless, IoT and Cloud Security.

Cryptography and Malware Analysis practice questions

Practise CEH questions linked to Cryptography and Malware Analysis.

Frequently asked questions

What does the CEH exam test about Cryptography and Malware Analysis?
Cryptography and Malware Analysis questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Cryptography and Malware Analysis questions in a focused session?
Yes — the session launcher on this page draws every question from the Cryptography and Malware Analysis domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CEH topics?
Use the topic links above to move to related areas, or go back to the CEH question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CEH exam covers. They are not copied from any real exam or dump site.