All

Question 1

Motive Types cybercrime

Answer 1

Financial Gain
* Hacktivism
* Corporate Espionage
* Curiosity/Challenge
* Nation State-Sponsored Attacks
* Personal Vendetta

Question 2

Victim Types

Answer 2

Individuals
* Corporations/Businesses
* Government Institutions
* Critical Infrastructure
* Non-Profit Organizations

Question 3

Perpetrator Types

Answer 3

Individual Hackers
* Organized Cybercriminal Groups
* Hacktivists
* State-Sponsored Actors
* Script Kiddies

Question 4

What Means or Methods are used for cyber crime

Answer 4

Latest Trends
+ Phishing / Social Engineering
+ Malware
+ Exploiting Vulnerabilities
+ Insider Threats

Question 5

Timeline/actions of cybercrime attack

Answer 5

1. Reconnaissance:
2. Initial Breach:
3. Exploitation
4. Execution:
5. Covering Tracks:
6. Detection and Response:
7. Investigation:

Question 6

Malware analysis process

Answer 6

Extracting the malware
Static analysis
Blackboxing (Dynamic analysis)
Internet search (OSINT)
White boxing (reverse engineering)

Question 7

Common signs of malware infection

Answer 7

Slow performance
Frequent freezing or crashing
Diminshed storage space
Unwanted pop-up advertisements
Modified or deleted files
New programs or icons
Changes in security settings
Unusual network activity
Browser changes
Unusual emails/social media messages
Programs running without consent
Error messages
Cmaera indicator light remains/turns on
Suspicious applications appear

Question 8

Malware spreading techniques

Answer 8

Phising
malvertising: malware in ads
Drive-By downloads: automatically download when visiting compromised site
social engineering (more handso n than phishing)
Malicious links social media
Software bundling
RDP exploits
Lateral movement
Typosquatting
Torrents and P2P sharing
Infected removable media
Exploiting unpatched vulns

Question 9

Payload types

Answer 9

Destructive
Non-Destructive
Criminal

Question 10

What destructive payload types are there?

Answer 10

Designed to cause damage to system, data, or networks

Ransomware: Encrypts fiels and demans payment
Wiper malware: deletes data
Viruses: attaches to legit programs and corrupts/deletes files
Worms: self replicates and spreads across networks, causes disruptions

Question 11

Non destructive malware payload types

Answer 11

Compromises privacy or performance without directly damaging data
Spyware: Monitors users
Adware: displays unwanted ads, tracks behavior
Trojan horses: Disguises as legit software to trick users
Fileless malware: operators in memory

Question 12

Criminal malware payloads

Answer 12

Designed for financial gain or illegal activities:
Cryptojacking: hijacks resources to mine crypto
Botnets: network of infected devices used for coordinated attacks
Keyloggers
Backdoors

Question 13

PE structure

Answer 13

Header: immediatly after DOS header, file header/optional header, metadata about the file architecture type, number of sections, characteristics

Section table: lists all section in executable (.text, .data, .rdata, . rsrc etc)
.text = executable code
.data initialized global vars
.rsrc contains resources icons and strings

Data directories

Question 14

PE structure and malware analysis

Answer 14

Malware can insert additonal code into unsed section of PE file (CODE CAVES)
Alter section headers to cause unexpected behaviour/bypass detection

Question 15

Static analysis, what aspects are analysed

Answer 15

Examines code and properties without execution
* Aspects analyzed:
+File Type
+File Hash
+Strings
+Embedded Elements
+Packer Information
+Imports and Exports

Question 16

Static Analysis techniques used

Answer 16

Techniques Used
+ File Identification: Use ‘file’ or ‘sigcheck’
commands
+ Hashing: Calculate MD5, SHA1, SHA256 hashes
+ String Extraction: Use ‘strings’ command
+ Disassembly: Convert machine code to assembly
+ Code Analysis: Analyze for malicious patterns
+ Metadata Examination: Review file metadata
+ VirusTotal Submission: Scan against multiple AV
engines

Question 17

Static analysis tools

Answer 17

PE studio
CFF explorer: Examines PE file structure
YARA
STrings
Floss
Capa
SSDEEP

Question 18

Static analysis benefits and limitations

Answer 18

Benefits of Static Analysis
* Speed: Quick analysis without execution
* Safety: Avoids risks of running malware
* Comprehensive Insight: Examines entire code structure
* Detection of Known Threats: Identifies known malware families

Limitations of Static Analysis
* Inability to Detect Runtime Behavior: Misses dynamic threats
* Complexity with Obfuscation: Challenges with obfuscated code
* False Positives: May misidentify benign files as malicious

Question 19

Packers, are what?

Answer 19

Software tools that transform executable files
Aspects:
Compression/Encryption/Obfuscation
Type of packers:
Commercial (UPX, ASPack, Themida)
Custom packers
Crypters

Indicated by high entropy

Question 20

Tools to identify packers/packed data

Answer 20

PEiD
Detect it Easy (DIE)
Bintext
PE Explorer
CFF explorer

Question 21

Autorun options for malware

Answer 21

Registry
Startup folders
Services
Browser helper objects
Scheduled tasks

Question 22

Typical Windows 11 OS related Paths Relevant to Malware Analysis System Directories

Answer 22

1. C:\Windows: Windows installation directory
2. C:\Windows\System32: Primary system directory, often targeted for DLL hijacking
3. C:\Windows\SysWOW64: 32-bit system directory on 64-bit systems

Question 23

Typical Windows 11 Paths Relevant to Malware Analysis User Directories

Answer 23

C:\Users[Username]\AppData\Roaming: User-specific application data, often used
by malware for persistence
5. C:\Users[Username]\AppData\Local: Local application data, less commonly
synced
6. C:\Users[Username]\AppData\LocalLow: Used for low-integrity level processes

Question 24

Startup system directories and reg run keys

Answer 24

Startup Locations
10. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp: Startup
folder for all users
11. C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup: User-specific startup folder
Registry Run Keys
12. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run:
System-wide autorun programs
13. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: User-
specific autorun programs

Question 25

Registry hives, which 4 are there?

Answer 25

Registry data is stored in files known as hives. Each hive corresponds to a specific set of
keys and values. The main hives include:
* SYSTEM: Contains system configuration settings.
* SOFTWARE: Stores software-related settings.
* SECURITY: Holds security policies.
* SAM: Contains user account information.
These hives are loaded into memory by the Configuration Manager, which manages
registry operations.
All hives are stored as files under Windows\System32\config

Question 26

Main Root Keys registry windows, which are there?

Answer 26

HKEY_LOCAL_MACHINE (HKLM): Contains configuration settings for the local
machine.
* HKEY_CURRENT_USER (HKCU): Stores settings specific to the currently logged-in
user.
* HKEY_USERS (HKU): Contains user profiles for all users on the machine.
* HKEY_CLASSES_ROOT (HKCR): Merges information from HKCU and HKLM
regarding file associations.
* HKEY_CURRENT_CONFIG (HKCC): Contains information about the current hardware
profile

Question 27

Common Malware Persistence Locations registry

Answer 27

1. The Windows Run keys:
   HKLM\Software\Microsoft\CurrentVersion\Run
2. The Winlogon shell:
   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
3. Services

Only 1-5, no need to remember details
1. Run Keys
– Description: Used to automatically start programs during system boot or
user login.
– Registry Paths:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run
2. RunServices Keys
– Description: Similar to Run Keys but specifically for Windows services.
– Registry Path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\RunServices
3. BootExecute
– Description: Executes specified programs early in the Windows boot process.
– Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\BootExecute
4. AppInit_DLLs
– Description: Allows specified DLLs to be loaded into every process that uses
User32.dll.
– Registry Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
5. Active Setup
– Description: Configures Windows components before or during user logon.
– Registry Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components

Question 28

Service and Process Manipulation reg keys

Answer 28

6. Windows Services
   – Description: Malware can create new services or modify existing ones to
   achieve persistence.
   – Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
7. Image File Execution Options (IFEO)
   – Description: Can be used to persist malware and intercept the execution of
   legitimate programs by specifying a debugger or alternative executable.
   – Registry Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
   NT\CurrentVersion\Image File Execution Options
8. Known DLLs
   – Description: Forces the loading of malicious DLLs by overriding system DLLs
   listed in the KnownDLLs registry key.
   – Registry Path:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
   Manager\KnownDLLs

Question 29

What are rootkits tldr?

Answer 29

Rootkits are programs that gain hidden control of a computer
system by modifying the operating system itself
* Their main purpose is to conceal malware activity from users and
security tools, preventing detection of the compromised state
* Despite the name, rootkits don’t provide root access - they
actually require admin/root privileges to be installed
* Initial system compromise and elevated privileges must be
achieved through other means before a rootkit can be deployed

Question 30

Basic Rootkit Goals

Answer 30

Gain system access
Maintain persistence
Hide presence
Control resources

Question 31

Rings of Control

Answer 31

Ring 3 (User Mode):
- Where normal applications run
- Limited privileges
- Restricted access to hardware
- Uses Windows API for system
requests
Ring 0 (Kernel Mode):
- Highest privilege level
- Direct hardware access
- Controls system resources
- Handles critical operationsa.
Application makes a request (e.g.,
CreateFile)
* Win32 API processes the request
* NTDLL.dll converts to system call
* Transition to kernel mode
* SSDT routes to correct kernel
function

Question 32

Common Rootkit Techniques, what techniques are commonly used by?

Answer 32

• System Call Hooking:
  + Intercepts program requests
  + Modifies what system sees
  + Hides malicious activity
  Driver Level Attack:
  + Loads malicious drivers
  + Gets kernel access
  + Modifies core system
  Direct Kernel Manipulation:
  + Changes system tables
  + Modifies memory
  + Alters core function

Question 33

OSINT Basics

Answer 33

Open-source intelligence (OSINT) is the collection and analysis
of data from publicly available sources to produce actionable
intelligence.
+ Collection
+ Processing
+ Analysis
+ Reporting

Question 34

Tor feitjes

Answer 34

Directory updates
* Web Browsing -> Circuit A
* .onion sites -> Circuit B
* New HTTPS -> Circuit C

• Guard rotation
  + Every 2-3 months
  + Helps prevent profiling
• Usage-based rotation
  + After specific data amounts
  + After number of TCP streams
• Time-based rotation
  + New circuits every ~10 minutes
  + Clean circuits every ~30-60 seconds