CCNA Malware Forensics Questions

16 questions · Malware Forensics topic · All types, answers revealed

1
Multi-Selecthard

Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)

Select 3 answers
A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
B.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
C.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
E.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
AnswersA, C, E

RunOnce keys execute programs once at next logon, used for persistence.

Why this answer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce is a registry run key that executes programs once at user logon and then deletes the entry. Malware often uses this key to run a payload a single time, such as during initial infection or after a reboot, to establish persistence without leaving a continuous trace in the Run key.

Exam trap

EC-Council often tests the distinction between registry run keys (Run, RunOnce, RunOnceEx) and other persistence mechanisms like services (Services key) or scheduled tasks (TaskCache), tricking candidates into selecting non-run-key options that are valid persistence methods but not run keys.

2
Drag & Dropmedium

Drag and drop the steps to perform a forensic analysis of email headers to trace the origin of a spam email into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Email header analysis involves parsing headers, tracing IPs, and checking authentication.

3
MCQeasy

A security analyst is tasked with reverse engineering a suspected malware sample. Which initial step should the analyst take to ensure safe handling and prevent accidental infection?

A.Create a bit-for-bit forensic image of the sample
B.Execute the sample in a debugger on a production machine
C.Disassemble the binary using IDA Pro directly
D.Connect the sample to an isolated network to observe behavior
AnswerA

A forensic copy preserves evidence and allows safe analysis.

Why this answer

Creating a bit-for-bit forensic image (option A) is the correct first step because it preserves the malware in an immutable, write-protected state, preventing any accidental execution or modification. This ensures the integrity of the evidence and allows the analyst to work with a safe copy without risking infection of the host system or network. In malware forensics, this aligns with the fundamental principle of maintaining a chain of custody and avoiding alteration of the original sample.

Exam trap

Cisco often tests the misconception that dynamic analysis (e.g., observing behavior in a network) is the safest first step, but the trap here is that any execution—even in a controlled environment—risks accidental infection if the sample is not first forensically imaged and handled with write-blockers.

How to eliminate wrong answers

Option B is wrong because executing the sample in a debugger on a production machine risks infecting the live environment, potentially causing data loss or propagation; debugging should only be performed in an isolated sandbox or virtual machine. Option C is wrong because disassembling the binary directly with IDA Pro without first creating a forensic image could inadvertently trigger self-modifying code or anti-analysis routines that execute upon file access, compromising the analysis environment. Option D is wrong because connecting the sample to an isolated network to observe behavior still requires execution, which could lead to unintended infection of the analyst's host system if proper isolation (e.g., air-gapped VM) is not confirmed first; the initial step must be static acquisition, not dynamic analysis.

4
MCQhard

An organization suspects a stealthy malware infection on a critical server. Traditional antivirus and EDR solutions have not detected anything. Which forensic approach would be most effective in identifying the malware, given that it likely resides only in memory?

A.Perform a full disk scan with updated antivirus signatures
B.Acquire a memory dump and perform memory forensics with tools like Volatility
C.Conduct a live analysis using built-in Windows tools like Task Manager
D.Analyze network traffic for anomalies using a NetFlow analyzer
AnswerB

Memory forensics captures the malware's code and artifacts in RAM for analysis.

Why this answer

Option B is correct because the malware resides only in memory, making it invisible to disk-based scans. Memory forensics with tools like Volatility allows investigators to analyze RAM artifacts (e.g., processes, network connections, injected code) to detect stealthy malware that never writes to disk.

Exam trap

Cisco often tests the misconception that live analysis tools (like Task Manager or Process Explorer) are sufficient for detecting memory-resident malware, but they fail to reveal hidden or injected code that only memory forensics can uncover.

How to eliminate wrong answers

Option A is wrong because a full disk scan with updated antivirus signatures targets files on disk, but the malware is memory-resident and never written to disk, so it will not be detected. Option C is wrong because live analysis using built-in Windows tools like Task Manager provides only a high-level view of processes and cannot reveal hidden or injected code, rootkits, or kernel-level artifacts that require deep memory structure parsing. Option D is wrong because analyzing network traffic with a NetFlow analyzer can show anomalous communication patterns but cannot directly identify malware that resides only in memory; it lacks the ability to inspect process memory, loaded modules, or code injection.

5
Multi-Selectmedium

Which THREE of the following are best practices for conducting malware forensics in a safe and effective manner?

Select 3 answers
A.Use a dedicated forensic workstation that is not connected to any network
B.Delete the malware sample after analysis to prevent accidental infection
C.Always create a cryptographic hash of the malware sample before analysis
D.Use a virtual machine or sandbox for dynamic analysis
E.Run all analysis using the same tools and versions as the attacker
AnswersA, C, D

Prevents malware from spreading and ensures analysis integrity.

Why this answer

Option A is correct because a dedicated forensic workstation that is not connected to any network prevents the malware from communicating with command-and-control (C2) servers, exfiltrating data, or spreading to other systems. This isolation ensures the integrity of the analysis environment and protects the broader infrastructure from accidental infection or data leakage.

Exam trap

Cisco often tests the misconception that deleting malware after analysis is a safety measure, when in fact preservation and proper containment (e.g., using hashes and isolated environments) are the correct forensic practices.

6
MCQmedium

Refer to the exhibit. During a malware investigation, a forensic analyst runs the commands shown. What is the most likely conclusion?

A.Svchost.exe processes are hosting legitimate Windows services; no malware is present.
B.The malware has injected code into svchost.exe using a reflective DLL injection tool.
C.The malware is using port 4444 for Windows Update communications.
D.Rundll32.exe with PID 1500 is likely a backdoor listening on port 4444.
AnswerD

Rundll32.exe typically does not listen on network ports; PID 1500 is listening on a suspicious port, indicating malware.

Why this answer

Option D is correct because the netstat output shows a listening connection on port 4444 associated with PID 1500, which the tasklist command identifies as rundll32.exe. Port 4444 is a common backdoor port (often used by Metasploit or other RATs), and rundll32.exe is a legitimate Windows binary frequently abused by malware to host malicious code (e.g., via DLL sideloading or reflective injection). The combination of an unusual listening port and a process that is not a typical network service (like svchost.exe) strongly indicates a backdoor.

Exam trap

EC-Council often tests the ability to correlate netstat output (port and PID) with tasklist output (PID and process name) to identify suspicious process-port pairs, and the trap here is assuming that svchost.exe is always the culprit when a backdoor is present, when in fact rundll32.exe is a common masquerading host for injected code.

How to eliminate wrong answers

Option A is wrong because svchost.exe processes can host legitimate services, but the exhibit shows no evidence of svchost.exe listening on port 4444; the PID 1500 is rundll32.exe, not svchost.exe. Option B is wrong because while reflective DLL injection into svchost.exe is possible, the netstat output directly ties port 4444 to PID 1500 (rundll32.exe), not to any svchost.exe PID. Option C is wrong because Windows Update does not use port 4444; it uses HTTP (port 80) or HTTPS (port 443) over TCP, and the exhibit shows no svchost.exe process associated with that port.

7
MCQhard

You are investigating a Windows 10 workstation that exhibits slow performance and frequent pop-ups. The user reports that the system started acting strangely after installing a 'PDF Converter' from an email attachment. You suspect malware. You have captured a memory dump using FTK Imager and a network capture during the infection. In the memory dump, you find a suspicious process 'conhost.exe' running from a non-standard location (C:\Users\Public\Temp). The process has an open handle to a file named 'config.ini' in the same directory. The network capture shows periodic HTTPS connections to 'malicious.com' on port 443 from the workstation's IP. Using Volatility, you extract the process's command line: 'conhost.exe -hidden -log C:\Users\Public\Temp\output.log'. Which of the following is the BEST immediate course of action to contain the threat and preserve evidence?

A.Delete the config.ini file and the conhost.exe executable immediately.
B.Restore the system to a previous restore point.
C.Terminate the suspicious conhost.exe process and run a full antivirus scan.
D.Isolate the workstation from the network, then create a forensic image of the hard disk for analysis.
AnswerD

Isolation stops C2 communication and potential lateral movement; imaging preserves evidence for in-depth analysis.

Why this answer

Option D is correct because the primary goal in a malware incident is to contain the threat and preserve evidence for forensic analysis. Isolating the workstation from the network prevents further data exfiltration (e.g., the HTTPS connections to malicious.com) and stops the malware from communicating with its C2 server. Creating a forensic image of the hard disk preserves the full state of the system, including the malicious conhost.exe, config.ini, and output.log files, which are critical for reverse engineering and attribution.

Terminating the process or deleting files before imaging would destroy volatile evidence and potentially trigger anti-forensic mechanisms.

Exam trap

EC-Council often tests the principle that containment and evidence preservation take precedence over immediate remediation, so candidates mistakenly choose to terminate the process or delete files (Option A or C) thinking they are stopping the threat, but this destroys volatile evidence and may trigger anti-forensic behavior.

How to eliminate wrong answers

Option A is wrong because deleting the config.ini file and conhost.exe executable destroys evidence and may trigger anti-forensic routines (e.g., file wiping or self-deletion) that could corrupt the memory dump or hinder analysis. Option B is wrong because restoring to a previous restore point overwrites critical system files and registry keys, destroying evidence of the infection and potentially leaving remnants of the malware in shadow copies or unallocated space. Option C is wrong because terminating the process and running an antivirus scan may alter the system state (e.g., killing the process removes its memory artifacts) and the scan could quarantine or delete malicious files, compromising the forensic integrity of the evidence.

8
MCQeasy

You are a forensic analyst investigating a Windows workstation that shows signs of malware infection. The user reports that the system is slow, network activity is high, and several files have been encrypted with a .encrypted extension. A ransom note named README.txt has been left on the desktop demanding payment. You have acquired a memory dump using FTK Imager and a disk image using dd. You need to identify the malware family and gather indicators of compromise (IOCs). Which of the following is the MOST appropriate first step?

A.Extract the ransom note and search for known ransomware identifiers such as Bitcoin wallet addresses or contact email.
B.Run the malware sample in a sandbox environment to observe its behavior.
C.Perform static analysis of the encrypted files to determine the encryption algorithm used.
D.Immediately disconnect the system from the network and power it off to preserve evidence.
AnswerA

Ransom notes often contain unique identifiers that link to specific ransomware families, enabling quick identification.

Why this answer

Option A is correct because the ransom note (README.txt) is a primary source of ransomware identifiers such as Bitcoin wallet addresses, contact emails, or Tor payment site URLs. Extracting these IOCs from the note allows you to quickly cross-reference known ransomware families (e.g., Ryuk, Maze, LockBit) via threat intelligence feeds, which is the most efficient first step in malware forensics before deeper analysis.

Exam trap

EC-Council often tests the principle of 'triage before deep analysis'—candidates mistakenly choose sandboxing (B) or static analysis (C) first, but the exam expects you to start with the most accessible, high-value IOC source (the ransom note) to quickly identify the malware family.

How to eliminate wrong answers

Option B is wrong because running the malware sample in a sandbox is premature; you must first identify the malware family and IOCs from the ransom note to safely handle the sample and avoid accidental encryption or network propagation. Option C is wrong because static analysis of encrypted files to determine the encryption algorithm is resource-intensive and often inconclusive without the encryption key; the ransom note provides faster, actionable intelligence. Option D is wrong because immediately disconnecting and powering off the system may destroy volatile evidence (e.g., network connections, running processes) and is not the first step—preservation should follow initial IOC collection.

9
MCQmedium

During malware analysis, an investigator finds that a suspicious process is injecting code into a legitimate system process (e.g., explorer.exe). Which technique is being used?

A.API hooking
B.Process hollowing
C.Code injection
D.DLL injection
AnswerC

Code injection is the technique of inserting code into a running process.

Why this answer

Code injection is the correct answer because the scenario describes a process injecting arbitrary code into a legitimate system process like explorer.exe. This is the generic term for techniques where malicious code is written into the address space of another process and executed, often via Windows API calls such as WriteProcessMemory and CreateRemoteThread. The question explicitly states 'injecting code,' which directly maps to the broad category of code injection, not a specific subtype.

Exam trap

Cisco often tests the distinction between generic code injection and its specific subtypes (like DLL injection or process hollowing), trapping candidates who choose a narrower term when the question uses the broad phrase 'injecting code' without specifying the delivery mechanism.

How to eliminate wrong answers

Option A is wrong because API hooking intercepts and modifies function calls within a process (e.g., using SetWindowsHookEx or Detours), but it does not involve injecting new code into a separate process's memory space; it redirects existing calls. Option B is wrong because process hollowing replaces the legitimate code of a process (e.g., suspending explorer.exe, unmapping its original code, and writing malicious code into the same process) rather than injecting code into an already-running legitimate process; it creates a hollowed process from the start. Option D is wrong because DLL injection is a specific subtype of code injection that loads a DLL into a target process (using LoadLibrary or reflective loading), but the question does not specify that a DLL is involved—it only mentions 'injecting code,' which could be shellcode or other executable code, making the broader term 'code injection' more accurate.

10
MCQmedium

You are a forensic analyst investigating a suspected malware infection on a Windows 10 workstation. The user reports that the system has been slow and that unexpected pop-ups appear. You have acquired a memory dump and a disk image. During analysis, you find a suspicious process named 'svch0st.exe' running with PID 4567. The process has loaded several DLLs, including 'wininet.dll' and 'ws2_32.dll'. You also find that the process has an active TCP connection to an external IP address 203.0.113.5 on port 4444. In the disk image, you find an executable file at C:\Users\Public\svch0st.exe with a creation date that matches the start of symptoms. The file's hash is not in any known malware database. You decide to perform dynamic analysis by running the file in a sandbox. However, the sandbox environment has no network connectivity. The executable runs but does not exhibit any malicious behavior. What should you do next to determine if the file is malicious?

A.Conduct a thorough static analysis using a disassembler and debugger to understand the code
B.Delete the suspicious file and run a full antivirus scan on the system
C.Re-run the sample in a sandbox with simulated network connectivity or a controlled network to observe C2 communication
D.Perform a forensic imaging of the system again and compare with the original image
AnswerC

Network connectivity may be required for the malware to activate its malicious payload.

Why this answer

Option C is correct because the sandbox lacked network connectivity, which prevented the malware from reaching its command-and-control (C2) server. Many malware samples, especially those using HTTP or raw TCP for C2, will remain dormant or exhibit no malicious behavior when they cannot connect to the external IP. By providing simulated or controlled network connectivity, you can trigger the malicious payload and observe the actual C2 communication, confirming the file's intent.

Exam trap

Cisco often tests the misconception that static analysis is always sufficient to determine maliciousness, but the trap here is that malware can be conditionally dormant and only activate when network connectivity is present, making dynamic analysis with network simulation essential.

How to eliminate wrong answers

Option A is wrong because static analysis alone cannot reliably determine if the file is malicious when it has no known hash and the sample is designed to only activate upon network connectivity; static analysis may miss obfuscated or conditionally executed code. Option B is wrong because deleting the file and running an antivirus scan is a reactive, non-analytical step that destroys evidence and does not answer whether the file is malicious; the file's hash is unknown, so antivirus may not detect it. Option D is wrong because performing another forensic imaging and comparing it to the original image would only show changes on disk, not reveal the runtime behavior or network-dependent activation of the malware; it is a redundant step that does not address the core question of whether the file is malicious.

11
Matchingmedium

Match each steganography technique to its carrier medium.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Image files (BMP, PNG)

Audio files (WAV, MP3)

GIF images

JPEG images

Plain text or documents

Why these pairings

These methods hide data in different file types.

12
MCQhard

Refer to the exhibit. An investigator is examining a disk image using TSK. The output from 'fls' shows the directory structure. What is the significance of the entry 'V/V 113-128-1: $OrphanFiles'?

A.It is a sign that a rootkit has hidden files in the image
B.It indicates the location of the Master File Table (MFT) mirror
C.It is a virtual directory that contains files with no parent directory, often from deleted files
D.It is a standard NTFS metadata file that stores file permissions
AnswerC

'V/V' denotes a virtual directory for files that are not linked in the directory tree.

Why this answer

In The Sleuth Kit (TSK), the 'fls' command lists files and directories within a disk image. The entry 'V/V 113-128-1: $OrphanFiles' is a virtual directory that contains files that have no parent directory in the file system, typically because their directory entries were deleted or corrupted. This is a common artifact when recovering deleted files from NTFS volumes, as TSK collects such orphaned MFT entries into this virtual container.

Exam trap

Cisco often tests the distinction between native NTFS metadata files (like $MFT, $Bitmap) and TSK virtual artifacts (like $OrphanFiles), so candidates mistakenly treat $OrphanFiles as a real NTFS system file rather than a forensic tool's reconstruction.

How to eliminate wrong answers

Option A is wrong because a rootkit hiding files would not manifest as a standard TSK virtual directory; rootkits typically use techniques like DKOM or hooking to conceal files, and $OrphanFiles is a normal TSK artifact for orphaned entries, not a sign of rootkit activity. Option B is wrong because the Master File Table (MFT) mirror is stored at the end of the NTFS volume (usually the last few clusters) and is not represented by a 'V/V' virtual directory in TSK; the MFT mirror is a metadata file ($MFTMirr), not a virtual directory. Option D is wrong because $OrphanFiles is not a standard NTFS metadata file; NTFS metadata files include $MFT, $LogFile, $Volume, etc., and $OrphanFiles is a TSK construct for forensic analysis, not a native NTFS file.

13
Multi-Selecthard

Which TWO of the following are common indicators of a rootkit infection on a Windows system?

Select 2 answers
A.High CPU usage by svchost.exe
B.System calls returning inconsistent results
C.Unexpected open ports on the firewall
D.Presence of unsigned kernel drivers
E.Hidden processes not visible in Task Manager
AnswersB, E

Rootkits hook system calls to return false information.

Why this answer

Option B is correct because rootkits operate at the kernel level, intercepting system calls to hide their presence. When a system call (e.g., NtQuerySystemInformation) is invoked, the rootkit modifies the return data to exclude malicious processes or files, causing the results to be inconsistent with the actual system state. This is a classic symptom of a kernel-mode rootkit that has hooked the System Service Dispatch Table (SSDT).

Exam trap

Cisco often tests the distinction between generic malware symptoms (like high CPU or open ports) and rootkit-specific stealth behaviors, so candidates mistakenly choose obvious signs of compromise rather than the subtle, kernel-level inconsistencies that uniquely identify a rootkit.

14
MCQmedium

During a malware investigation, an analyst discovers a suspicious file with a hash value that matches known malware. However, the file fails to execute and does not exhibit any malicious behavior in a sandbox. What is the most likely reason for this discrepancy?

A.The file is a false positive and is actually benign
B.The sandbox is not updated with the latest signatures
C.The file's metadata has been modified to evade analysis
D.The file is packed or obfuscated to prevent execution in a sandbox
AnswerD

Packing can prevent execution until unpacked, causing the sandbox to not observe malicious behavior.

Why this answer

Option D is correct because malware authors often use packing or obfuscation techniques to prevent the malicious payload from executing in an analysis environment. The packed code requires a specific unpacking routine or trigger (e.g., a specific system call, registry key, or timing condition) that the sandbox does not provide, causing the file to appear inert. This is a common anti-sandbox technique distinct from simple signature evasion.

Exam trap

Cisco often tests the distinction between detection evasion (e.g., hash modification) and execution evasion (e.g., packing/obfuscation), trapping candidates who assume a matching hash guarantees malicious behavior.

How to eliminate wrong answers

Option A is wrong because the hash matches known malware, making a false positive highly unlikely; hash collisions are extremely rare and not a plausible explanation. Option B is wrong because signature updates are irrelevant when the hash already matches known malware; the issue is execution, not detection. Option C is wrong because modifying metadata (e.g., timestamps, file attributes) does not prevent execution; it only affects forensic artifacts and file identification, not runtime behavior.

15
Multi-Selecteasy

Which TWO techniques are commonly used to evade detection by antivirus software in packed malware?

Select 2 answers
A.Code obfuscation
B.Anti-debugging tricks
C.Polymorphic code
D.Anti-VM checks
E.Encryption with a variable key
AnswersC, E

Polymorphic code mutates its signature, evading signature-based detection.

Why this answer

Polymorphic code (C) is correct because it mutates its decryption loop with each infection while preserving the original malicious payload, generating functionally equivalent but bytewise different code. This signature mutation evades signature-based antivirus detection by ensuring no static byte sequence remains constant across samples. Encryption with a variable key (E) is correct because it changes the decryption key per sample, producing different ciphertext each time and thus defeating signature matching on the encrypted payload.

Exam trap

EC-Council often tests the distinction between polymorphic code (which changes the decryption stub) and metamorphic code (which rewrites the entire payload), and candidates confuse anti-debugging or anti-VM techniques with signature evasion methods.

16
MCQmedium

Based on the exhibit, what is the most likely indication of malware persistence?

A.services.exe PID 4321 is a known malware process
B.Windows Defender service is stopped, allowing malware to run
C.services.exe is listening on TCP port 4444, indicating possible code injection
D.svchost.exe hosting BFE and MpsSvc indicates a firewall bypass
AnswerC

services.exe should not have open listening ports; port 4444 is suspicious and suggests malware injected into the process.

Why this answer

Option C is correct because services.exe (the Service Control Manager) should not normally listen on any TCP port. When it is found listening on TCP port 4444—a port commonly associated with Metasploit and reverse shells—it strongly indicates that malware has injected code into the legitimate services.exe process, hijacking it to establish a persistent backdoor listener. This is a classic sign of process hollowing or reflective DLL injection, where the malware hides its network activity under a trusted system process.

Exam trap

EC-Council often tests the misconception that any process named 'services.exe' or 'svchost.exe' is automatically malicious, when in fact the key indicator is abnormal behavior (like listening on a non-standard port) that deviates from the process's legitimate function.

How to eliminate wrong answers

Option A is wrong because services.exe is a legitimate Windows system process (the Service Control Manager), and PID 4321 alone does not indicate malware; malware often uses process names like svchost.exe or services.exe to blend in, so the PID itself is not a known malware identifier. Option B is wrong because while a stopped Windows Defender service could allow malware to run, the exhibit shows no evidence that Defender is stopped; the question asks for the most likely indication of persistence based on the exhibit, and a stopped service is a condition, not a direct indicator of persistence. Option D is wrong because svchost.exe hosting BFE (Base Filtering Engine) and MpsSvc (Windows Firewall) is normal behavior; these services are part of the Windows Firewall and do not indicate a bypass—in fact, they are the firewall itself, and their presence in svchost.exe is expected.

Ready to test yourself?

Try a timed practice session using only Malware Forensics questions.