Static Analysis
Dynamic Analysis
Cyber Kill Chain
Malware
Persistence
100

The process of examining malware code without executing it.

What is static analysis?

100

Running malware in a controlled environment to observe its behavior.

What is dynamic analysis?

100

A framework that describes the stages of a cyber-attack, from reconnaissance to achieving objectives.

What is the Cyber Kill Chain?

100

This type of malware encrypts files and demands payment to unlock them.

What is ransomware?

100

This allows malware to survive reboots and remain active on a system.

What is persistence?

200

MD5, SHA-1, and SHA-256 are examples of these, used to identify files by generating unique values.

What are hashing algorithms?

200

A tool used to identify programs configured to run automatically at startup, which can reveal persistent malware.

What is Autoruns?

200

The first stage in the Cyber Kill Chain, involving information gathering about the target.

What is reconnaissance?

200

This type of malware disguises itself as legitimate software to trick users.

What is a Trojan?

200

A common registry key that malware modifies to achieve persistence.

What is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run?

300

A tool used in static analysis to inspect the structure of Portable Executable (PE) files.

What is PE Studio?

300

Isolating malware in this environment is essential to prevent it from affecting other systems.

What is a sandbox?

300

This stage involves transmitting the malware to the victim, often through phishing or drive-by downloads.

What is delivery?

300

A self-replicating malware that spreads across networks without user interaction.

What is a worm?

300

Malware can use this Windows feature to schedule tasks that automatically execute at set times.

What is the Task Scheduler?

400

Extracting these can reveal hard-coded URLs, IPs, or other readable text within malware.

What are strings?

400

This tool is used to inspect running processes and detect unusual behavior.

What is Process Explorer?

400

During this stage, the attacker exploits a vulnerability to gain access to the system.

What is exploitation?

400

Specialized malware used to hide the presence of other malicious files on a system.

What is a rootkit?

400

nstalling itself as one of these allows malware to start automatically at boot.

What is a Windows service?

500

Renaming or modifying a malware file to prevent accidental execution.

What is defanging?

500

This feature in virtual machines allows analysts to save the current state, making it easy to revert back after running malware.

What is a snapshot?

500

The final stage, where the attacker achieves their primary objectives, such as data exfiltration.

What is actions on objectives?

500

Malware designed to secretly gather information on a user or organization.

What is spyware?

500

Placing malware here ensures it runs automatically when the user logs in.

What is the startup folder?

M
e
n
u