CEH's Malware Analysis module outlines a structured approach:
* Identify suspicious indicators (e.g., JavaScript, OpenAction)
* Extract and analyze embedded objects
* Determine behavior and exploit logic
PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.
Option B is correct.
Option A is useful but insufficient for deep analysis.
Option C only aids identification, not behavior understanding.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.
CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider- originated DDoS activity a serious concern.

Credential stuffing is the best match because the scenario highlights automated login attempts across many accounts with an unusually high success rate, occurring in the aftermath of a breach. In CEH-aligned system hacking concepts, credential stuffing is the automated testing of known username and password pairs- typically harvested from prior breaches-against a different service. Because many users reuse passwords across sites, attackers often achieve a higher-than-normal success rate compared to guessing-based attacks.
This "high success rate" across numerous accounts is a key indicator that the attacker is not randomly guessing, but replaying valid credentials at scale using bots or automation frameworks.
Password spraying differs in that the attacker tries a small set of common passwords (or one password) across many accounts to avoid lockouts. Spraying generally yields a lower success rate and is driven by guessing rather than replaying known credential pairs. A brute force attack is even noisier and typically involves repeated guessing for a single account or small set of accounts; it is both slower and far less likely to produce a high success rate across many users in a short period. Phishing attacks can lead to account takeovers, but the pattern described would more often show targeted victims and varied sources rather than broad, automated, multi-account authentication bursts with consistently successful logins.
CEH defensive guidance emphasizes layered controls: enforce MFA, monitor for abnormal login velocity and credential reuse indicators, deploy bot detection and rate limiting, use breached-password checks, implement adaptive authentication, and tune lockout and detection policies to disrupt automated credential replay without enabling denial-of-service against legitimate users.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata.
CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

The correct answer is B. NetBIOS Enumeration because the ports and services described map directly to NetBIOS over TCP/IP (NBT) and the actions align with querying NetBIOS name table and session services.
In Windows networking (especially older systems), NetBIOS provides naming and session-layer services that can reveal valuable host and user information. Specifically, UDP 137 is used for the NetBIOS Name Service (NBNS), UDP 138 for NetBIOS Datagram Service, and TCP 139 for NetBIOS Session Service. Observing activity on UDP 137/138 and an open TCP 139 strongly indicates that NetBIOS services are reachable and can be interrogated.
The scenario states Jake "uses a utility to query the name table and session services," which is a hallmark of NetBIOS enumeration. NetBIOS name table queries can disclose machine names, domain/workgroup names, and sometimes logged-in usernames (depending on configuration and what names are registered). Session
/service enumeration can reveal information about active sessions and available resources. The fact that Jake obtains machine names, usernames, and shared folders without authentication is consistent with weakly configured legacy Windows networking where NetBIOS/SMB information disclosure is possible through null
/unauthenticated queries.
Why not the other options: NFS enumeration targets UNIX/Linux file sharing and is unrelated to ports 137-
139. SNMP enumeration uses UDP 161/162 and relies on SNMP communities, not NetBIOS naming/session queries. SMB enumeration is closely related and often overlaps operationally, but the question emphasizes
"query the name table and session services" and explicitly references the classic NetBIOS port set (137/138
/139), making NetBIOS enumeration the most precise classification for this behavior.
In practice, defenders mitigate this exposure by disabling NetBIOS where unnecessary, restricting these ports at network boundaries, enforcing SMB hardening, and limiting anonymous/null session information disclosure.