GREM試験無料問題集（195題）「GIAC Reverse Engineering Malware 認定」

出題：1

When analyzing a ransomware sample you find code referencing CryptDeriveKey. What does this indicate?

A. VM introspection

B. Encryption routine

C. Code signing

D. Persistence payload

正解：B 解答を投票する

出題：2

A malware sample checks the registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId
What is the MOST likely purpose?

A. Driver loading

B. Persistence creation

C. C2 configuration retrieval

D. Sandbox / VM detection

正解：D 解答を投票する

出題：3

What features should a malware analysis lab have to ensure effective analysis? (Choose Three)

A. Availability of up-to-date anti-malware solutions

B. High-speed internet access without any filtering

C. Tools for both static and dynamic analysis

D. The capability to restore machines to a clean state

E. Restricted access control

正解：C,D,E 解答を投票する

出題：4

What is the significance of finding extensive use of System.Reflection namespace in a .NET malware sample?

A. It indicates the use of reflective programming to inspect or modify itself at runtime.

B. It implies the malware is likely to use graphics and visual effects.

C. It denotes the malware's capability to self-replicate.

D. It suggests the application is using a third-party .NET library.

正解：A 解答を投票する

出題：5

Which of the following are common flow control instructions used in malware? (Choose two)

A. POP

B. CALL

C. XOR

D. JMP

正解：B,D 解答を投票する

出題：6

Which of the following is the MOST reliable indicator that the payload is unpacked?

A. New thread is created

B. Strings become readable

C. Full PE header appears in memory

D. API calls are resolved

正解：C 解答を投票する

出題：7

Which of the following are reasons malware might use the VirtualAllocEx function? (Choose Two)

A. To allocate memory with specific access rights

B. To ensure data execution prevention (DEP)

C. To reserve a region of memory within a foreign process

D. To extend the size of a virtual memory page

正解：A,C 解答を投票する

出題：8

In the context of RTF file analysis, what purpose does examining hexadecimal content serve?

A. Identifying embedded media files

B. Verifying the document formatting

C. Detecting potential shellcode or obfuscated content

D. Confirming standard RTF headers

正解：C 解答を投票する

出題：9

What is a common sign that a PDF might be malicious?

A. It triggers security warnings when opened.

B. The file size is smaller than average for similar documents.

C. The PDF is viewable on multiple platforms.

D. It contains extensive text and few images.

正解：A 解答を投票する

出題：10

Why would an analyst examine the timestamps within the metadata of a suspected malware file?

A. To check for time-based triggers within the malware

B. To assess the file's relevance to a specific malware campaign

C. To determine the malware's expiration date

D. To understand when the malware was created or last modified

正解：D 解答を投票する

出題：11

You are performing behavioral analysis on a malware sample that makes unusual DNS queries and writes data to a specific registry key.
Which actions should you take to further investigate this sample's behavior? (Choose three)

A. Monitor registry changes using a tool like Procmon

B. Reboot the system and observe if the malware starts again

C. Debug the malware to locate its API calls

D. Capture the DNS traffic using a network sniffer tool

E. Isolate the system and run the malware with network access disabled

正解：A,B,D 解答を投票する

出題：12

In the context of .NET reverse engineering, what is the primary purpose of examining the Intermediate Language (IL) code?

A. To inspect the graphical user interface of the application

B. To identify the high-level language in which the program was originally written

C. To analyze network traffic generated by the malware

D. To understand the logic and flow of the program

正解：D 解答を投票する

出題：13

What is the primary objective of conducting a static analysis on a suspected malware file?

A. To observe the malware's interaction with its environment in real-time

B. To gather information about the malware without executing it

C. To immediately identify and delete malware from the system

D. To determine the internet domains to which the malware communicates

正解：B 解答を投票する

GREM試験無料問題集「GIAC Reverse Engineering Malware 認定」