01. Which approach can help in bypassing malware that employs timing checks to detect analysis tools?
a) Modifying the system clock
b) Patching the malware binary to remove the checks
c) Using network traffic generators
d) Increasing the priority of the malware process
02. Analyzing the decompressed content of an RTF file is essential for what reason?
a) To identify any embedded scripts or macros
b) To understand the document's formatting hierarchy
c) To detect hidden or obfuscated malicious payloads
d) To verify the integrity of embedded images
03. Why might malware use indirect jumps and calls as part of its execution flow?
a) To make decompilation and debugging more difficult by obscuring the control flow
b) To enhance the readability of the code for maintenance purposes
c) To reduce the overall size of the compiled binary
d) To improve the efficiency of execution on multi-core processors
04. How can an analyst use the entropy value of a file during malware analysis?
a) To measure the file's compression ratio
b) To determine the complexity and randomness within the file, indicating potential obfuscation or encryption
c) To calculate the file's execution time
d) To identify the programming language used to create the file
05. What aspects should be analyzed to determine if a macro in an Office file is self-replicating?
(Choose Two)
a) The macro's ability to copy itself to other documents.
b) The presence of code that modifies the startup folder.
c) The macro's interaction with the Office clipboard.
d) Code snippets that duplicate the macro within the same document.
06. Which of the following is a potential indicator that an Office macro is attempting to download additional payloads?
a) Modification of document metadata.
b) Execution of complex mathematical calculations.
c) Interaction with a local database.
d) Use of system networking commands.
07. When analyzing a function in assembly language, how can you identify the function's parameters?
a) By locating values pushed onto the stack immediately before a call instruction
b) By identifying the first arithmetic instructions in the function
c) By counting the number of RET instructions
d) By looking for direct register assignments at the start of the function
08. In malware analysis, what is the purpose of comparing the hash of a suspicious file to known malware databases?
a) To identify the file's original author
b) To determine the exact changes made to the system by the malware
c) To potentially identify the malware and its known behaviors
d) To understand the network behavior of the malware
09. Why is it important to analyze the control words within an RTF document when investigating for malicious content?
a) To verify the document's compatibility with different viewers
b) To understand the document's layout structure
c) To identify custom styles applied to the document
d) To detect hidden instructions or shellcode
10. When analyzing malicious software, what is an indicator of anti-emulation techniques being used?
a) The malware performs redundant calculations.
b) The malware checks for the presence of a mouse or user interaction.
c) The malware avoids using system calls.
d) The malware exclusively targets 32-bit systems.
The purpose of this Sample Question Set is to provide you with information about the GIAC Reverse Engineering Malware (GREM) exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the GREM certification test. To get familiar with real exam environment, we suggest you try our Sample GIAC GREM Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual GIAC Reverse Engineering Malware (GREM) certification exam.