nerdexam
ExamsGCIHQuestions#454
GIAC

GCIH · Question #454

GCIH Question #454: Real Exam Question with Answer & Explanation

The correct answer is A: Detecting virtual machines. Malware that checks for specific processes or hardware before executing is using sandbox or virtual machine evasion to avoid analysis and detection.

Malware Analysis & Advanced Persistent Threats

Question

Analysis of malicious code identifies a function that searches for specific processes and hardware on a victim host. If the processes or hardware are found, the malicious executable does not install itself. What is a common purpose of this type of malware functionality?

Options

  • ADetecting virtual machines
  • BRemote code execution
  • CRunning polymorphic code
  • DDisabling local anti-virus

Explanation

Malware that checks for specific processes or hardware before executing is using sandbox or virtual machine evasion to avoid analysis and detection.

Common mistakes.

  • B. Remote code execution is an attack capability that allows code to run on a remote system; it is not related to the self-preservation check described in the question.
  • C. Polymorphic code refers to malware that mutates its own code to evade signature-based detection, which is a different technique unrelated to environmental hardware or process checks.
  • D. Disabling antivirus is an action a malware takes after it has already installed itself, not a reason to abort installation before it begins.

Concept tested. Malware sandbox and virtual machine evasion techniques

Reference. https://attack.mitre.org/techniques/T1497/

Topics

#VM detection#sandbox evasion#anti-analysis#process enumeration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice
Analysis of malicious code identifies a function that searches for... | GCIH Q#454 Answer | NerdExam