Update malware-analysis.md

carlospolop · web-flow · commit abaa9414c0e0 · 2026-05-03T16:05:28.000+02:00
diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@@ -623,20 +623,6 @@ for (i = 0; i < 4; i++) {
 write(fd, nonce, 12);                          // only the last nonce survives
 ```
 
-Practical triage points:
-- **Confirm the real primitive** instead of trusting actor claims or third-party reporting. If the binary calls `crypto_stream_chacha20_ietf_xor`, this is raw **ChaCha20-IETF** stream encryption, not AEAD.
-- **Check the file format**. ChaCha20-Poly1305 adds a 16-byte tag, while raw `crypto_stream_*_xor` output is only `ciphertext XOR keystream` plus whatever metadata the malware stores itself. A file ending in a single 12-byte trailer and no authentication tag is a strong sign that only one nonce was persisted.
-- **Map chunk offsets and sizes** from code, not CLI text. Many lockers parse `--fast` / `--secure` style options that never influence the encryption path. Verify the variables are actually read after parsing.
-- **Separate recoverable from destroyed regions**. Bytes outside the encrypted chunks remain plaintext; only the chunks whose exact `(key, nonce)` pair is known are decryptable. This matters for salvage, carving, and ransom-payment decisions.
-- **Treat CSPRNG-generated missing nonces as lost**, not derivable. If earlier nonces come from `randombytes()`, `RtlGenRandom`, `getrandom()`, or `/dev/urandom` and are not written anywhere else, they cannot be reconstructed by reversing.
-
-Quick analyst workflow:
-1. Identify the stream/AEAD API in the binary (`crypto_stream_chacha20_ietf_xor` vs `crypto_aead_*`).
-2. Reconstruct the on-disk layout from code and from an encrypted sample.
-3. Count how many times the per-file loop generates a nonce and how many nonces are stored.
-4. Compare claimed operator modes with the real code paths and constants.
-5. Report the exact file-size threshold and which regions are permanently lost.
-
 ## References
 
 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
