{
  "query": "A user opened an email attachment that executed an .exe which copied user files to AppData\\Roaming and retrieved additional components from a remote host. Which type of malware does this behavior indicate?",
  "options": [
    {
      "text": "Ransomware",
      "explanation": "Ransomware encrypts files or denies access and then demands payment for restoration.",
      "correct": false,
      "selected": false
    },
    {
      "text": "Trojan",
      "explanation": "A Trojan disguises itself as legitimate software and performs hidden malicious actions such as data exfiltration and payload retrieval.",
      "correct": true,
      "selected": false
    },
    {
      "text": "Worm",
      "explanation": "A worm self-replicates and spreads across networks without requiring user installation.",
      "correct": false,
      "selected": false
    }
  ],
  "answer": "<p>The correct answer is <b>Trojan</b>.</p><p>A <b>Trojan</b> is malicious software that relies on a user to run what appears to be a legitimate file and then performs hidden actions. The scenario describes an emailed attachment that executed an .exe, copied user files into AppData\\Roaming, and retrieved additional components from a remote host, and that behavior matches a <b>Trojan</b> because it requires user execution and then downloads or unpacks further payloads from a command and control source.</p><p><i>Ransomware</i> is incorrect because ransomware primarily encrypts or otherwise blocks access to files to demand payment, and the description does not mention file encryption or an extortion demand. Copying files and fetching components alone does not indicate the extortion behavior that defines <i>Ransomware</i>.</p><p><i>Worm</i> is incorrect because worms are self propagating and spread across networks without needing a user to run an attachment. The infection here began with a user executing an emailed .exe, which points away from a self spreading <i>Worm</i> and toward a payload that required user action, which is characteristic of a <b>Trojan</b>.</p>",
  "batch_id": "2439",
  "answerCode": "2",
  "type": "multiple-choice",
  "originalQuery": "You received an email attachment named \"salary_hike_15052013.zip\", and upon opening the zip file, you discover that it contains a .exe file. You unknowingly execute this .exe file, and malware secretly started copying data to the APPDATA\\local directory and establishing a connection to another server to download additional malicious files. This type of malware is known as:",
  "originalOptions": "A. A. Ransomware<br/>B. B. Keylogger<br/>C. C. DDoS<br/>D. D. Trojan",
  "domain": "Reconnaissance Techniques for Ethical Hacking",
  "hasImage": false,
  "queryImage": "",
  "queryImages": [],
  "allImages": [],
  "hasAnyImage": false,
  "deprecatedReference": false,
  "deprecatedMatches": {},
  "hasPre": false,
  "qid": "1786s",
  "tip": "<p>Read the question for clues about how the malware spread and whether user action was required. If an attachment had to be executed and the program then contacted a remote host to download more components think <i>Trojan</i>.</p>",
  "references": [
    "<a href=\"https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/malware-types\">https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/malware-types</a>",
    "<a href=\"https://www.kaspersky.com/resource-center/threats/trojans\">https://www.kaspersky.com/resource-center/threats/trojans</a>",
    "<a href=\"https://www.sophos.com/en-us/what-is/malware\">https://www.sophos.com/en-us/what-is/malware</a>"
  ],
  "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-named-salary-hike-15052013-zip-and-upon-opening-exam-1786.html",
  "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-named-salary-hike-15052013-zip-and-upon-opening-exam-1786.html"
}