4.2 Lab: Malware Triage Desk
Lab: Malware Triage Desk
Applied analysis · 3 triage cases · Simulated SOC shift · 35–45 min
You are a tier-1 analyst on a security operations center (SOC) shift. Three incident tickets have landed in your queue within 20 minutes. For each case, you will review the evidence, write a short analysis, and then reveal the expected answer to compare.
Your task per case: (1) identify the malware category, (2) name the most likely delivery vector, (3) recommend one immediate containment action. Write your answer BEFORE revealing — that is the point of the lab.
Case 1: The Unexpected Cryptominer
Reporter: Marcus L., Finance Manager
Description: “My laptop fans run at full speed all day even when I’m just in email. Battery life has gone from 6 hours to 90 minutes. IT said CPU is at 94–98 percent. I haven’t installed anything new. Last week I visited an unfamiliar news site a colleague shared — the page was slow and loaded for about 40 seconds before my browser locked briefly.”
Initial telemetry:
top - CPU usage breakdown (endpoint: FIN-LAP-07) chrome.exe: 92.4% (1 tab active: localnewsreview[.]co) [browser helper]: 4.1% msedge: 0.8% system idle: 2.7%
Outbound connections from chrome.exe show sustained traffic to cn-xmr-pool[.]net on port 3333 (a known Monero mining pool).
1. Malware category:
2. Most likely delivery vector:
3. Immediate containment action:
(1) Category: Browser-based cryptojacker — a form of unwanted/malicious software that hijacks CPU to mine cryptocurrency. Functionally related to adware / Trojan-script families; not ransomware, not a worm (no self-propagation, no file encryption).
(2) Delivery: Drive-by download / malicious script on a compromised or attacker-run website (
localnewsreview[.]co). The long load time and brief browser lock are classic fingerprints of a mining script being injected.(3) Containment: Block
cn-xmr-pool[.]net and the source domain at the firewall / DNS layer, clear the browser cache, and close the tab / end chrome.exe. Longer term: deploy a content filter and a browser extension that blocks known mining scripts.Scoring rubric: 1 pt for correct category, 1 pt for plausible delivery vector, 1 pt for actionable containment. 2+/3 = passing.
Case 2: The Spreading Outage
Reporter: Network Operations Center (escalation)
Description: Between 03:12 and 03:47 local time, 217 Windows workstations across three office buildings have become unresponsive. SIEM shows a sudden spike in SMB (TCP 445) traffic from an initial host (HR-WKS-12) that then pivoted outward. Affected machines display a splash screen that reads:
"Your network has been encrypted. All files locked. Pay 20 BTC within 48 hours to this wallet: 1A2b3C... Decryptor will be released after confirmation."
HR-WKS-12’s browsing history shows nothing unusual from the prior day. Windows Update logs on that machine show the March 2017 SMB patch (MS17-010) was never applied. No user opened an email or clicked a link at 03:12.
1. Malware category (note: could be a hybrid):
2. Most likely delivery vector (for the initial host HR-WKS-12):
3. Immediate containment action:
(1) Category: Ransomworm — a hybrid that combines the self-propagation of a worm with the payload of ransomware. The SMB-port pivot with no user action is the worm signature; the ransom splash screen is the ransomware payload. (WannaCry and NotPetya are the canonical examples.)
(2) Delivery: Exploitation of an unpatched network service. The missing MS17-010 patch and the SMB/445 traffic signature point directly to the EternalBlue exploit family. No user action was needed.
(3) Containment: Immediately isolate HR-WKS-12 and all 217 affected devices from the network (disable switch ports or VLAN-quarantine). Block SMB traffic at the perimeter and between VLANs. Then begin restore-from-backup planning — do NOT pay the ransom as a first response; there is no guarantee of decryption and it funds further attacks.
Scoring rubric: Identifying “ransomware + worm-like spread” earns full credit on (1). Naming the unpatched SMB service earns full credit on (2). Network isolation earns full credit on (3). 2+/3 = passing.
Case 3: The Silent Resume
Reporter: Emily K., HR Recruiter
Description: “I opened a resume attachment (Resume_Priya_Nair.docm) from a promising candidate. Word asked me to ‘Enable Content’ to view formatting. I clicked yes. The document looked totally normal — a two-page resume. Nothing else happened. But IT flagged my machine this morning.”
EDR telemetry from her laptop, past 18 hours:
10:42 AM WINWORD.EXE -> cmd.exe -> powershell.exe (encoded command) 10:42 AM powershell.exe -> outbound HTTPS to attacker-cdn[.]info 10:43 AM powershell.exe -> wrote file: %TEMP%\svc_updater.exe 10:44 AM svc_updater.exe -> registered scheduled task: "MSEdgeUpdTask" 11:15 AM MSEdgeUpdTask -> collected: browser saved credentials 03:02 PM MSEdgeUpdTask -> uploaded stolen data to attacker-cdn[.]info
1. Malware category:
2. Delivery vector:
3. Immediate containment action:
(1) Category: Primarily spyware / information stealer. The payload harvests saved credentials and uploads them to an attacker server. Accept credit for “trojan that drops a credential stealer” — the attachment is a trojan, the dropped payload is spyware. NOT ransomware (no encryption), NOT a worm (no self-spread), NOT a rootkit (the process is visible to EDR).
(2) Delivery: Phishing email with a malicious macro-enabled Word document. The “Enable Content” click is the social-engineering trigger that runs the macro, which launches the PowerShell downloader.
(3) Containment: Isolate the laptop from the network immediately. Force password reset on every credential saved in Emily’s browser (email, HR system, anything she has logged into from this machine). Block
attacker-cdn[.]info at the DNS/firewall layer. Remove the scheduled task and the svc_updater.exe file, then plan a full reimage — macro-dropped loaders often establish additional persistence you cannot see at first.Scoring rubric: Full credit on (1) requires identifying credential theft / spyware behavior (not just “malware”). Full credit on (2) requires naming both the phishing delivery AND the macro trigger. Full credit on (3) requires at least two of: isolation, credential rotation, domain block, reimage.
Every AP Cybersecurity FRQ-style scenario asks the same three-part question the lab just asked: identify, attribute, contain. The cases above walk you through that reasoning on a cryptojacker, a ransomworm, and a spyware trojan — three very different shapes of the same question. Practice writing your answers out in complete sentences before revealing; that rehearsal is exactly the exam skill.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]