nerdexam
EC-Council

312-50V9 · Question #342

Matthew received an email with an attachment named "YouWon$10Grand.zip." The zip file contains a file named "HowToClaimYourPrize.docx.exe." Out of excitement and curiosity, Matthew opened the said fil

The correct answer is B. Trojan. The malware disguises itself as a legitimate prize-claim file to trick the user, then silently establishes persistence and communicates with a C2 server - the defining behavior of a Trojan horse.

Malware Threats

Question

Matthew received an email with an attachment named "YouWon$10Grand.zip." The zip file contains a file named "HowToClaimYourPrize.docx.exe." Out of excitement and curiosity, Matthew opened the said file. Without his knowledge, the file copies itself to Matthew's APPDATA\IocaI directory and begins to beacon to a Command-and-control server to download additional malicious binaries. What type of malware has Matthew encountered?

Options

  • AKey-logger
  • BTrojan
  • CWorm
  • DMacro Virus

How the community answered

(45 responses)
  • A
    4% (2)
  • B
    91% (41)
  • C
    2% (1)
  • D
    2% (1)

Why each option

The malware disguises itself as a legitimate prize-claim file to trick the user, then silently establishes persistence and communicates with a C2 server - the defining behavior of a Trojan horse.

AKey-logger

A keylogger's primary function is to record and exfiltrate keystrokes; it does not involve disguised delivery via zip files or C2 beaconing for additional binaries.

BTrojanCorrect

A Trojan horse is malware that masquerades as a legitimate or benign file to deceive users into executing it; in this case, 'HowToClaimYourPrize.docx.exe' uses a double extension to appear as a Word document. Once executed, it copies itself to a persistence location (APPDATA\IocaI) and beacons to a Command-and-Control server to download additional payloads. This combination of deception, persistence, and C2 communication is the canonical behavior of a Trojan.

CWorm

A worm self-replicates and spreads autonomously across networks without requiring user interaction for propagation, which is not described here.

DMacro Virus

A macro virus infects documents via embedded macros that execute when the document is opened in an application like Microsoft Word, which is a different mechanism than a disguised executable.

Concept tested: Trojan horse malware identification and behavior

Source: https://csrc.nist.gov/glossary/term/trojan_horse

Topics

#Trojan#C2 communication#malware persistence#APPDATA directory

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice