A malware analyst runs a suspicious executable in Cuckoo Sandbox. The report shows that the process created a mutex named 'Global\MyMalwareMutex'. What is the significance of this mutex?
A mutex ensures only one instance of the malware runs to avoid conflicts.
Why this answer
The mutex named 'Global\MyMalwareMutex' is a named synchronization object used by the malware to ensure only one instance of its process runs at a time. This prevents conflicts in operations like file writing or network communication that could occur if multiple copies executed simultaneously. In Cuckoo Sandbox, detecting such a mutex is a common indicator of single-instance malware behavior.
Exam trap
EC-Council often tests the misconception that any named object with 'Global' implies network or cross-system communication, but in Windows, 'Global\' simply refers to the kernel object namespace accessible to all sessions on the same machine.
How to eliminate wrong answers
Option A is wrong because mutexes are local synchronization primitives within the Windows kernel, not network communication channels; C2 communication typically uses sockets, HTTP, or DNS. Option C is wrong because UPX packing is detected by analyzing the executable's section names (e.g., 'UPX0', 'UPX1') or entropy, not by mutex creation. Option D is wrong because mutexes do not store data; they are kernel objects with a name and state (signaled/non-signaled), whereas encrypted configuration is usually stored in files, registry keys, or memory.