CEH v13 Domain 3.3 Practice Test 002

This practice test covers Domain 3 (System Hacking Phases and Attack Techniques) Subdomain 3 (Malware Threats) from the CEH v13 (312-50v13) exam blueprint (v5).

These questions are inspired by the EC-Council CEH exam and are designed to help you test your knowledge of ethical hacking tools, techniques, and methodologies. Some questions require multiple correct answers.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the skills and knowledge tested in the CEH exam.

Note: CEH and Certified Ethical Hacker are registered trademarks of EC-Council. This content is not affiliated with or endorsed by EC-Council.

To choose CEH practice tests based on specific domains and subdomains, click that link.

CEH v13 Domain 3.3 Practice Test 002

10 questions • 8 single-answer, 2 multi-select

Question 1

Clark, a malicious actor targeting a financial services company, bundles a hidden reverse shell inside a legitimate-looking PDF viewer and tricks an employee into downloading and running it. The application functions as advertised while silently opening a command-and-control channel back to Clark's server. What type of malware has Clark deployed?

A. Rootkit — Clark installed a rootkit that hides its presence by modifying OS kernel structures to mask the malicious process from detection tools B. Trojan horse — Clark disguised a malicious payload inside a legitimate-appearing application that executes hidden code while performing its stated function C. Polymorphic virus — Clark used a self-replicating virus that mutates its own code signature with each infection cycle to evade antivirus detection D. Logic bomb — Clark planted a dormant payload that triggers only when a specific condition such as a date or user action is met

Question 2

A malware analyst investigating an endpoint alert finds no new executable files on disk, but observes shellcode injected into a legitimate Windows process (explorer.exe) and LOLBins being used to execute commands. The endpoint's signature-based antivirus found nothing, yet behavior-based detection flagged abnormal parent-child process relationships. Which malware technique best describes this attack?

A. Macro virus — the attacker embedded malicious VBA macros in an Office document that wrote executable payloads to the Windows temp directory upon opening B. Fileless malware — the attacker executed malicious code entirely in memory using legitimate system processes and native binaries, leaving no artifacts on disk for signature-based tools to detect C. Boot sector virus — the attacker modified the master boot record to load malicious code before the OS initializes, persisting across reboots without requiring file system access D. Spyware — the attacker installed a module that silently records keystrokes and transmits them to a remote C2 server over encrypted channels

Question 3

Select all that apply

An incident response team reviewing a six-month intrusion at a defense contractor finds the attacker used stolen credentials, custom implants communicating over HTTPS on port 443, and specifically targeted high-value users before exfiltrating sensitive design documents. The IR team concludes the activity matches a state-sponsored threat group operating with strategic, long-term objectives. Which TWO characteristics are MOST consistent with an Advanced Persistent Threat (APT)? (Choose two)

A. The attacker used a self-propagating worm that automatically infected adjacent hosts without any human interaction throughout the campaign B. The attacker maintained long-term, stealthy access to the target environment over six months, indicating a persistent and objective-driven operation C. The attacker selected a specific high-value target and used tailored custom malware and stolen credentials to achieve their strategic objective D. The attacker deployed fast-moving ransomware that encrypted all files across the network within hours of gaining initial access E. The attacker relied exclusively on commodity phishing kits purchased from underground forums with no customization or targeted reconnaissance

Question 4

A single malicious email attachment at a large enterprise infects one employee's machine, and within hours thousands of hosts are compromised without any additional user interaction. The malware autonomously scans for vulnerable hosts and copies itself across the network by exploiting an unpatched SMB vulnerability. Which malware classification best describes this threat?

A. Trojan horse — the malware disguised itself as a legitimate attachment and required user execution but does not self-propagate across the network without human interaction B. Computer worm — the malware autonomously replicates and propagates across the network by exploiting a vulnerability without requiring any user interaction after initial execution C. Adware — the malware displays unwanted advertisements and collects browsing data from each infected host but does not self-propagate through the network D. Ransomware — the malware encrypts victim files and demands payment, but does not replicate across network hosts autonomously

Question 5

Jane, a malware analyst at a threat intelligence firm, executes a suspicious binary in an isolated sandbox environment and uses Process Monitor and Wireshark to record all file system writes, registry changes, and outbound network connections the sample makes in real time. She then catalogs the resulting indicators of compromise for the client report. Which type of malware analysis has Jane performed?

A. Static analysis — Jane disassembled the binary using tools like IDA Pro without executing it, examining the code structure, strings, and embedded resources to understand its logic B. Code review analysis — Jane manually reviewed the malware's source code line by line to identify logic flaws, backdoor conditions, and hardcoded credentials without executing the sample C. Dynamic analysis — Jane executed the malware in a controlled environment and observed its runtime behavior including process activity, file system changes, registry edits, and network communications D. Signature-based analysis — Jane submitted the binary hash to a threat intelligence platform to compare it against known malware signatures and identify its family

Question 6

A forensic report on a compromised developer workstation reveals the attacker's tool captured keystrokes, took periodic screenshots, activated the webcam on demand, and received remote commands — all without any visible interface to the victim. The tool installed itself as a Windows service and communicated over an encrypted channel to a domain registered one week before the attack. What category of malware best describes this tool?

A. Keylogger — the malware is designed exclusively to capture and transmit keystrokes and does not include capabilities for remote command execution, screen capture, or webcam access B. Remote Access Trojan (RAT) — the malware provides the attacker with covert, full remote control capabilities including keylogging, screen capture, webcam access, and shell command execution via a C2 channel C. Ransomware — the malware encrypts files on the victim system and presents a ransom demand but does not support interactive remote control or targeted data exfiltration D. Adware — the malware generates revenue through forced advertising and browser redirects and does not support remote control or surveillance capabilities

Question 7

Select all that apply

A CISO reviewing a malware outbreak finds that a custom-compiled implant with no known signatures communicated over HTTPS and achieved persistence via a WMI subscription, fully bypassing the organization's existing signature-based antivirus. She wants to implement two controls that would detect or prevent this class of attack in future incidents. Which TWO countermeasures would MOST effectively address this threat? (Choose two)

A. Deploy behavior-based EDR tools that monitor for anomalous process behaviors, suspicious parent-child relationships, and unusual network connections regardless of file signature B. Implement a stricter email spam filter that blocks all attachments larger than 1 MB, since most advanced malware is delivered via oversized email attachments C. Implement application whitelisting to prevent unauthorized executables from running on endpoints, blocking unknown binaries from executing even without a known malware signature D. Increase all employee passwords to a minimum of 12 characters to prevent brute force attacks against domain accounts E. Disable HTTPS traffic inspection at the perimeter firewall to avoid performance degradation, relying solely on endpoint tools for detection

Question 8

Elijah distributes a fake free video conferencing tool that, once installed, encrypts all local and mapped drive files and demands $2,000 in cryptocurrency within 72 hours, threatening to delete the decryption key if payment is not received. The malware does not spread to other hosts, does not open a persistent remote access channel, and communicates with Elijah's server only to deliver the decryption key upon payment. What type of malware has Elijah deployed?

A. Trojan horse — because Elijah disguised the malware as a legitimate application, a Trojan classification applies since Trojans are defined by their deceptive delivery and remote access capability B. Spyware — Elijah's malware silently collects and transmits sensitive user files and credentials to a remote server without the user's knowledge or consent C. Ransomware — Elijah's malware encrypts victim files and demands payment for the decryption key, denying access to data and using extortion as its primary mechanism D. Worm — Elijah's malware self-replicates across network segments without user interaction, encrypting files on each host it infects autonomously

Question 9

A malware sample collected from an enterprise network exhibits a different byte-level signature on each infected machine, making it impossible to create a single static detection rule across all hosts. Analysis reveals the sample uses an internal mutation engine to rewrite its own binary code during each replication cycle while preserving its core functional payload. Which malware category does this sample belong to?

A. Metamorphic virus — the virus completely rewrites its entire code base with each generation using a built-in code rewriter, producing functionally equivalent but entirely restructured code that is harder to detect than polymorphic variants B. Polymorphic virus — the virus uses a mutation engine to alter its binary signature with each infection while keeping the core payload intact, allowing it to evade signature-based antivirus detection C. Armored virus — the virus uses obfuscation and anti-debugging techniques to resist reverse engineering but does not necessarily alter its own code signature between infections D. Stealth virus — the virus intercepts OS calls to hide its presence by returning falsified data when the infected file is scanned, rather than altering its own code

Question 10

An OT security consultant investigating a disruption at a water treatment facility finds the attacker used a compromised vendor VPN account to deploy a custom implant that lay dormant for three months before modifying PLC setpoints to alter chemical dosing levels. The implant was specifically engineered for the facility's SCADA platform, indicating prior intelligence gathering about the target environment. How should this attack be classified?

A. Script kiddie attack — the attacker used commercially available exploit kits and commodity malware without specialized knowledge, targeting the facility opportunistically rather than with deliberate strategic intent B. Insider threat — the malware was planted by a disgruntled employee with physical access to the PLC hardware and intimate knowledge of the SCADA configuration, without requiring external network access C. Advanced Persistent Threat (APT) targeting critical infrastructure — the attacker demonstrated long-term persistence, used a custom implant tailored to a specific ICS platform, and executed a targeted attack on critical infrastructure with strategic objectives D. Ransomware attack — the malware encrypted SCADA configuration files and demanded payment to restore operations, making financially motivated ransomware the most appropriate classification

ByThe Test Master

Related Post

CEH v13 Domain 3.2 Practice Test 002

CEH v13 Domain 3.1 Practice Test 002

CEH v13 Domain 2.3 Practice Test 002