CEH v13 Domain 3.3 Practice Test 001

Question 1

Clark, a professional hacker, has compromised a target system and installed a program that appears to the victim as a legitimate system utility. However, the program secretly opens a backdoor on port 4444 and exfiltrates data to a remote C2 server. The victim notices no unusual behavior during normal system use. What type of malware has Clark deployed?

A. Rootkit B. Trojan C. Logic bomb D. Ransomware

Question 2

During a threat intelligence briefing, an analyst describes an attack campaign in which adversaries spent eight months performing reconnaissance, establishing footholds across multiple business units, and staging data before exfiltration — all while remaining completely undetected. The campaign targeted defense contractor intellectual property and was attributed to a nation-state group. Which malware concept BEST describes this type of campaign?

A. Polymorphic virus B. Fileless malware C. Advanced Persistent Threat (APT) D. Botnet

Question 3

A penetration tester is analyzing a malware sample and observes that the binary changes its signature each time it replicates, making it difficult for signature-based antivirus engines to detect it. However, the underlying malicious payload remains functionally identical across all variants. Which malware classification BEST describes this sample?

A. Metamorphic virus B. Polymorphic virus C. Macro virus D. Stealth virus

Question 4

Jane is conducting malware analysis on a suspicious executable collected from a compromised endpoint. She runs the sample in an isolated virtual machine, monitors registry changes, network connections, and file system modifications using tools such as Process Monitor and Wireshark, without examining the binary's source code. What type of malware analysis is Jane performing?

A. Static analysis B. Dynamic analysis C. Code review D. Heuristic analysis

Question 5

Select all that apply

An attacker sends a spear-phishing email to a financial analyst containing a Microsoft Word document. When the analyst opens the document and enables editing, malicious code embedded within the document executes automatically and installs a RAT on the system. No standalone executable file is dropped to disk during initial execution. Which two characteristics BEST describe this malware delivery technique? (Choose two.)

A. The attack relies on a macro-based execution mechanism B. The attack uses a fileless malware technique during initial execution C. The attack is classified as a worm because it self-propagates via email D. The attack requires the victim to explicitly enable content to trigger execution E. The attack uses a rootkit to hide the Word document from the OS

Question 6

During a post-incident investigation, a security team discovers that a piece of malware lay dormant on a developer's workstation for three months. The malware activated and deleted critical source code repositories on the exact date the developer was terminated. No external C2 communication was observed prior to detonation. Which type of malware BEST describes this behavior?

A. Ransomware B. Trojan C. Logic bomb D. Worm

Question 7

Kevin, a threat actor, develops malware that injects itself into the Windows kernel and intercepts system calls made by the OS. When antivirus software queries the file system for a list of running processes, the malware removes its own process entry from the results returned to the AV engine. The malware has been active on the system for 47 days undetected. What type of malware is Kevin using?

A. Trojan B. Spyware C. Rootkit D. Backdoor

Question 8

A security analyst is reviewing logs from an endpoint detection tool and notices that a malicious process executed entirely within PowerShell memory, downloaded a second-stage payload over HTTPS, and injected it directly into a legitimate svchost.exe process. No malicious files were written to disk at any point during the attack chain. Which malware concept BEST describes this attack?

A. Virus B. Fileless malware C. Adware D. Polymorphic worm

Question 9

An ethical hacker is reviewing an organization's anti-malware posture and wants to evaluate whether endpoint defenses can detect command-and-control (C2) communication from a RAT. Which of the following tools would BEST allow the tester to simulate RAT-style C2 traffic and test defensive controls?

A. Aircrack-ng B. Metasploit Framework with Meterpreter C. Nikto D. Hydra

Question 10

Select all that apply

A malware analyst receives a sample suspected of being part of a targeted attack campaign. Before executing the sample, the analyst extracts readable text strings from the binary, calculates its MD5 and SHA-256 hashes, examines the PE header, and checks the import address table for suspicious API calls such as CreateRemoteThread and VirtualAllocEx. What type of analysis is the analyst performing, and which of the following tools would be MOST appropriate for this phase? (Choose two.)

A. The analyst is performing dynamic analysis B. The analyst is performing static analysis C. PEiD or Detect-It-Easy (DIE) D. Wireshark E. strings and CFF Explorer

ByThe Test Master

Related Post

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

Leave a Reply Cancel reply

You missed

CEH v13 Domain 2.2 Practice Test 002

CEH v13 Domain 2.1 Practice Test 002

CEH v13 Domain 1.1 Practice Test 002

CEH v13 Domain 9.1 Practice Test 001