210-255 · Question #17
You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the
The correct answer is B. domain names E. host IP addresses. Investigating post-infection outbound callouts from sandbox analysis requires network-layer indicators to identify and block command-and-control infrastructure.
Question
You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)
Options
- Afile size
- Bdomain names
- Cdropped files
- Dsignatures
- Ehost IP addresses
How the community answered
(43 responses)- A9% (4)
- B70% (30)
- C16% (7)
- D5% (2)
Why each option
Investigating post-infection outbound callouts from sandbox analysis requires network-layer indicators to identify and block command-and-control infrastructure.
File size is a static attribute useful for hash-based identification but provides no information about where outbound network callouts were directed.
Domain names captured during sandbox detonation identify the C2 or exfiltration endpoints the malware contacted, enabling threat-intel enrichment, DNS sinkholing, and firewall blocking.
Dropped files relate to persistence mechanisms and secondary payload delivery on the infected host, not to the outbound network communication being investigated.
Signatures identify the malware family or variant but do not reveal the specific network endpoints used during callout activity.
Host IP addresses reveal the network-layer destination of callouts, allowing analysts to create firewall rules, correlate events in a SIEM, and investigate attacker-controlled infrastructure.
Concept tested: Malware sandbox analysis - identifying C2 network indicators
Source: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
Topics
Community Discussion
No community discussion yet for this question.