nerdexam
Cisco

210-255 · Question #17

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the

The correct answer is B. domain names E. host IP addresses. Investigating post-infection outbound callouts from sandbox analysis requires network-layer indicators to identify and block command-and-control infrastructure.

Host-Based Analysis

Question

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)

Options

  • Afile size
  • Bdomain names
  • Cdropped files
  • Dsignatures
  • Ehost IP addresses

How the community answered

(43 responses)
  • A
    9% (4)
  • B
    70% (30)
  • C
    16% (7)
  • D
    5% (2)

Why each option

Investigating post-infection outbound callouts from sandbox analysis requires network-layer indicators to identify and block command-and-control infrastructure.

Afile size

File size is a static attribute useful for hash-based identification but provides no information about where outbound network callouts were directed.

Bdomain namesCorrect

Domain names captured during sandbox detonation identify the C2 or exfiltration endpoints the malware contacted, enabling threat-intel enrichment, DNS sinkholing, and firewall blocking.

Cdropped files

Dropped files relate to persistence mechanisms and secondary payload delivery on the infected host, not to the outbound network communication being investigated.

Dsignatures

Signatures identify the malware family or variant but do not reveal the specific network endpoints used during callout activity.

Ehost IP addressesCorrect

Host IP addresses reveal the network-layer destination of callouts, allowing analysts to create firewall rules, correlate events in a SIEM, and investigate attacker-controlled infrastructure.

Concept tested: Malware sandbox analysis - identifying C2 network indicators

Source: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

Topics

#sandbox analysis#malware callouts#C2 indicators#network IOC

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice