Investigating Outbound Callouts
Question
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome.
The analysis report shows that outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.BE.
When a suspicious file is run in a sandbox analysis tool, the tool isolates the file in a secure environment to observe its behavior and identify any malicious activity. If the analysis report shows that outbound callouts were made post-infection, this means that the file has initiated communication with external systems outside the sandbox.
To investigate the callouts, the analyst needs to gather information from the analysis report. The two pieces of information required to investigate the callouts are:
Host IP Addresses - The analysis report should provide information on the IP addresses of the systems that the suspicious file has communicated with. This information is critical in identifying the external systems that the file is communicating with and determining whether they are legitimate or malicious.
Domain Names - The analysis report should provide information on the domain names of the external systems that the suspicious file has communicated with. This information is useful in identifying the domains associated with the external systems and determining their legitimacy.
Therefore, the correct answers are B (Host IP Addresses) and E (Domain Names). Signatures, file size, and dropped files are also important pieces of information, but they are not directly related to investigating the callouts.
