ssdeep hashes are calculated using an algorithm that generates a fingerprint or hash value based on the content of a file.
Unlike traditional cryptographic hashes, which generate a fixed-length hash value based on the entire file, ssdeep hashes generate a variable-length hash value based on subsets of the file's content. This allows ssdeep hashes to identify files that are similar or identical, even if they have been modified or manipulated in some way.
Use Case
Malicious actors often use techniques such as file obfuscation or packing to make it difficult to detect and analyze their malware. However, ssdeep hashes can be used to pinpoint similar or identical versions of the same malware, even if the file has been disguised in some way.
Security teams can use ssdeep hashes to identify and track different versions of the same malware, as well as identify similar or related malware strains, and use comparative datasets to understand better the tactics and infrastructure used by malicious actors.
ssdeep Hashes
Navigate to Advanced Query Builder > Xperimental Queries > ssdeep find similar.
Specify an ssdeep hash.
(Optional) Set a minimum hash similarity cutoff to refine results.
(Optional) Limit the number of returned results or skip a specified number.
Click Search.
Save Queries
Organizational users can save queries for future use or sharing.
Specify query parameters.
Click Save Query.
Provide a Name and Description for context.
Click Save. The query appears in Private Queries.