Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.

Chapter 32 — Further Reading

Foundations (🔬 / deeper)

  • "Practical Malware Analysis" — Sikorski & Honig (No Starch Press). The canonical textbook: the safe lab, static and dynamic analysis, the PE format, anti-analysis, and (further than this chapter goes) hands-on reverse engineering, with labs and a solutions key. If you read one book after this chapter, read this one.
  • "Learning Malware Analysis" — Monnappa K A (Packt). A modern, example-driven companion strong on dynamic analysis, memory forensics integration, and code-injection techniques — excellent for turning the chapter's concepts into muscle memory.
  • "The Art of Memory Forensics" — Ligh, Case, Levy & Walters (Wiley). Where the running malware gets analyzed; the natural pairing with Chapter 22 and with the YARA-in-memory technique from this chapter. Its companion, the "Malware Analyst's Cookbook," is a recipe shelf for the tasks here.

Approachable explanations (everyone)

  • MITRE ATT&CK (attack.mitre.org). The free, browsable taxonomy behind every technique ID in this chapter. Look up T1547.001, T1055, T1071.001 and read the detection guidance — it tells you what to hunt for, not just what to name.
  • David Bianco, "The Pyramid of Pain" (the original blog post). Two pages that reframe IOC production for life: invest detection effort where it hurts the attacker, not where it is easiest to collect.
  • OALabs, MalwareTech, and Marcus Hutchins / @herrcore (YouTube & blogs). Free, superbly clear walk-throughs of real samples — unpacking, config extraction, and "what does this actually do" — that show the tools of this chapter in motion.
  • 🛡️ REMnux (remnux.org, Lenny Zeltser) & FLARE-VM (github.com/mandiant/flare-vm). The two free platforms the chapter is built on. Install both in an isolated hypervisor — this is your lab.
  • 🛡️ CAPE Sandbox (github.com/kevoreilly/CAPEv2) and Cuckoo. Self-hosted automated sandboxes with automatic unpacking and config extraction — the OPSEC-correct choice for targeted samples.
  • 🔍 YARA documentation (yara.readthedocs.io) and Sigma (github.com/SigmaHQ/sigma). The two detection languages to actually write in — files/memory and logs respectively. Read real rules in the SigmaHQ repo to learn idiom.
  • 💾 No More Ransom (nomoreransom.org) and the Emsisoft decryptor list. Where family attribution becomes free recovery — the Crypto Sheriff identifies a family from a note and a sample, and lists whether a decryptor exists (Case Study 1's lifeline).
  • 🛡️ The DFIR Report (thedfirreport.com) and abuse.ch (MalwareBazaar, URLhaus). Real intrusion write-ups full of IOCs and TTPs, plus a community sample source for safe practice.
  • 📜 SANS FOR610 / GREM. The reverse-engineering-malware course and certification path; pairs with the legal-authority material in Chapter 25 for handling samples lawfully.

Reference (this book)

Do, don't just read

  • Stand up the lab. Build REMnux + FLARE-VM on a host-only network with snapshots; verify the network adapter is isolated with your own eyes before anything else.
  • Triage a real sample safely. Pull a known sample from MalwareBazaar (password-protected zip), and run the full static pass — file, hashes, strings (both encodings), pefile, section entropy — without ever uploading it.
  • Write and run a YARA rule keyed to a durable indicator, then scan a folder and a memory image with it.
  • Practice the mechanics on safe software: UPX-pack a copy of notepad.exe, watch the entropy jump and the imports shrink, and run Regshot around a benign installer to see Run-key and file changes appear.

Next: Chapter 33 — Cryptocurrency Investigation: follow the money the weapon was built to extract — trace the wallets, cluster the addresses, and turn the ransom demand into a blockchain trail.