(no title)

The flow is essentially: 1. Break down a sample to determine behavior; this is usually a mixture of static (decompilation) and dynamic (running the sample in a safe env /w a debugger) analysis.

2. Write a signature / detection based on unique identifiers you discover inside the payload. This is where the real skill comes in; being extremely clever with Regex is helpful here.

It's a tricky game to keep up with malware developers. Write a signature too specific, and all they have to do is recompile with a few string changes to defeat you. Conversely, if a detection is too broad, you run the risk of detecting benign software (aka a False Positive or FP).