MALWARE JEOPARDY

Static Analysis

Dynamic Analysis

What the Shell?

Pot

Pourri

100

A tool to extract strings from PE files or a piece of string used to clean your teeth.

What is Floss?

100

An Internet simulator found in Windows Flare VM requiring the VirtualBox network adapter be set to NAT mode.

What is FakeNet?

100

Type of shell where the victim's machine waits and listens for the attacker to connect.

What is a bind shell?

100

A tool that can aid in identifying what persistence method has been put in place by malware.

What is Autoruns?

100

It is how a malware sample can be kept safe and prevent accidental detonation.

What is defanged?

200

A popular website for identifying malware by either uploading samples or uploading hash values.

What is Virus Total?

200

A network monitoring tool to capture network based indicators.

What is Wireshark?

200

The most common type of obfuscation technique used in PowerShell scripts.

What is base64?

200

A tool used to capture the state of the Windows registry before and after malware is detonated for comparison.

What is RegShot?

200

It is the term for the type of malware that downloads a secondary stage from a server.

What is a dropper?

300

A popular hashing algorithm used to identify malware. Aww Shawks.. they found me!

What is SHA256?

300

It's the server that the malware connects to which then instructs the malware on how to behave.

What is a command and control server?

300

Type of shell where the victim machine reaches out and connects to the attaker.

What is a reverse shell?

300

A way in which attackers compress malware to obfuscate it and attempt to evade anti-virus solutions.

What is packing?

300

The HTTP command used to request and pull files from URLs.

What is GET?

400

A tool used to identify the architecture of PE files and the API's that are imported that also sounds like a very large animal (Black, Brown, or a White kind).

What is PE Bear?

400

An Internet Simulator built into REMnux.

What is Inetsim?

400

A scripting language that is normally used in Windows to automate processes by Administrators but attackers also use to manipulate files, exfiltrate data, or download malware to the victim's computer.

What is PowerShell?

400

Malware will sometimes create this to prevent multiple instances of itself from running.

What are mutexes?

400

Two terms used when an attacker names the second stage malware downloaded from a server to something else when saved to the victim machine.

What are decoupling or dechaining?

500

A tool used to de-obfuscate encoded or encrypted data - it's good with knives.

What is CyberChef?

500

A tool that allows for the real time monitoring of malware on a host by filtering on the malware's name that also shows parent and child processes.

What is ProcMon?

500

The tool used to listen on a specified port for a shell connection.

What is Netcat?

500

A Linux binary or Santa's little helper.

What is an ELF?

500

The file extension or file type for Windows API's that are imported in PE files to make use of the functions they contain.

What are DLL files?