I am passionate about developing a standalone version of the distinct capabilities of the malware, attack vector that I analyze. It helps me to understand the specimen much more deeply. The other advantage is that your code breaks when the actor updates the capability. That means I can track them. In one of my other blog posts, I described how I tracked two highly active malware families, Remcos and Emotet, for months. It is for fun and profit.