You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)
A. file size
B. domain names
C. dropped files
D. signatures
E. host IP addresses
“You have run a suspicious file in a sandbox analysis tool”… well that eliminates option A, since you put the suspicious file in the sandbox, why do you need to check it’s size after?
as per @Jay comment, I would eliminate E – host IP addresses
that leaves:
B. domain names
C. dropped files
D. signatures
not sure what C would relate too
My guess: B and D
More one …rs
From Cuckoo Sandbox.
With Cuckoo you’re able to create some customized signatures that you can run against the analysis results in order to identify some predefined pattern that might represent a particular malicious behavior or an indicator you’re interested in.
These signatures are very useful to give a context to the analyses: both because they simplify the interpretation of the results as well as for automatically identifying malware samples of interest
So to me.. is B and D—- kkkkk
Sorry but i think is B & E.
As you may know we are using network malicious analyzer tools and in a sanbox you can use cisco amp. see below.
Sandboxing also gathers essential data on network activity. You can examine the entire PCAP trace generated by our sandbox. This analysis report includes information about the most salient network characteristics. For example, if the file in question connects to a host that is known to be a botnet command and control server, then the file can be identified as malicious (see Figure 3). Along similar lines, Cisco AMP examines Domain Name System (DNS) and HTTP traffic for botnet characteristics and use this traffic to determine the disposition of a particular file. Network analysis can be taken a step further by examining an overall HTTP hierarchy graph, which can be used to identify web exploit kits and how they connect to the sites they infect.
https://www.cisco.com/c/en/us/products/collateral/security/whitepaper_c78-733277.html
Any Comments??
I would say file size is useless as file comes with different size on different file systems or OS. Hash is what makes the “size” of it. This is from CIsco Whitepaper:
Sandboxing also gathers essential data on network activity. You can examine the entire PCAP trace generated by
our sandbox. This analysis report includes information about the most salient network characteristics. For example,
if the file in question connects to a host that is known to be a botnet command and control server, then the file can
be identified as malicious (see Figure 3). Along similar lines, Cisco AMP examines Domain Name System (DNS)
and HTTP traffic for botnet characteristics and use this traffic to determine the disposition of a particular file.
Network analysis can be taken a step further by examining an overall HTTP hierarchy graph, which can be used to
identify web exploit kits and how they connect to the sites they infect.
Mentioning DNS which is useful I guess in identifying (listing into DB) malicious domains. Just my thoughts….
Why would you need the host IP when this is a report of the file when run in a Sandbox analysis tool?
Cisco like to catch you out with these type of questions, and they specifically say ‘host’ IP address.
I would guess with B & C.
the answer I think is A and E…why require a domain name when l aready have IP address…
rather take the file size to check also…remember there are POST commands issued…which is a matter of concern also as file size will clog the network ending up consuming resources and as a result end up in a DoS attack..
#my_thoughts
yeah I do not like that one AT ALL because file size, domain names, signatures, and IPs are all part of the same sequence and analysis process. But since we are talking about sandbox analysis, then file size is a logical piece.
See below:
https://www.researchgate.net/publication/221515702_The_Sandbox_for_Analysis_-_Concepts_and_Methods
comparing file size relates to signatures and hashes, but really the next critical piece is the host IPs. Depending on the analysis utility domain names may not be an option. The “best” answers with this very poorly worded question and slick answer choices are A and E
To the B and E supporters, I would agree if a utility was referenced like Cisco AMP …
https://www.cisco.com/c/en/us/products/collateral/security/whitepaper_c78-733277.pdf
but B seems to be a trip up answer, with such a vague setup here we will never really know
one of the organization’s network intrusion detection sensors alerts on anomalous outbound network activity involving large file transfers. The intrusion analyst reviews the alerts; it appears that thousands of .RAR files are being copied from an internal host to an external host, and the external host is located in another country. The analyst contacts the incident response team so that it can investigate the activity further. The team is unable to see what the .RAR files hold because their contents are encrypted. Analysis of the internal host containing the .RAR files shows signs of a bot installation.
Answer = A, E
A & D
https://digital-forensics.sans.org/blog/2012/07/26/four-focus-areas-of-malware-analysis
what is the use for file size to investigate a callout as to the domain name and host ip address
BE, those are the parameters that allows yo to track the important information about the incident
yep B and E
I would also say B and E. Can’t investigate something making a callout without knowing WHERE it’s making a callout to….so at least a destination IP addr or domain name to say the least. Need to know what “host” is making the call outs, so the appropriate action(s) are taken.
Wud say the answer is b and e,wats oponions?