Search scanned data for ssdeep hashes

  • Updated on May 16, 2023
  • Published on Apr 12, 2023
  • 1 minute(s) read

ssdeep hashes are calculated using an algorithm that generates a fingerprint or hash value based on the content of a file.

Unlike traditional cryptographic hashes, which generate a fixed-length hash value based on the entire file, ssdeep hashes generate a variable-length hash value based on subsets of the file's content. This allows ssdeep hashes to identify files that are similar or identical, even if they have been modified or manipulated in some way.

Malicious actors often use techniques such as file obfuscation or packing to make it difficult to detect and analyze their malware. However, ssdeep hashes can be used to pinpoint similar or identical versions of the same malware, even if the file has been disguised in some way.

Security teams can use ssdeep hashes to identify and track different versions of the same malware, as well as identifying similar or related malware strains, and use comparitive datasets to better understand the tactics and infrastructure used by malicious actors.

  1. Navigate to Advanced Query Builder > Xperimental Queries > ssdeep find similair

  2. Specify an ssdeep hash

  3. (Optional) Specify a minimum hash similarity cutoff

  4. (Optional) Choose to limit the set of returned results

  5. (Optional) Choose to skip a specified number of results

  6. Click Search

Saving queries

Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

  1. Specify the query parameters

  2. Click Save Query

  3. Give your query a Name

  4. Specify a Description to add more context

  5. Click Save