SSDEEP — Fuzzy Hashing

Sathish Sivaprakash
3 min readJan 18, 2022

They are different hashing we use like Md5, SHA1, SHA256 and SHA512 etc., when it is come to malware detection most of the AV will detect based on the signatures, which contains hash information as a one of the key element for malwares.

So, to avoid detecting from the AV, attacker can make few changes in the malware so that integrity of the hash will change to bypass the detection.

To avoid this issue we are going to use SSDeep Fuzzy Hashing Function.

SSDeep is the great tool widely used for simple identification purposes, which is for computing the context triggered piecewise hashes (CTPH).

So using SSDeep we can check the similarity between two files at the binary level. you can ask SSDeep is “MalwareFile1” is same as “MalwareFile2”? SSDeep will compare and give you the percentage value.

Let’s start.

To Download SSDeep Tool please click here

I created four files which has similar content but not exactly same and so we get different hashes.

Different Hash Value

Here hash function only look for exact match but not the similarity, so to identify the similarity of these file we are going to use fuzzy hashing function using ssdeep.

Type “ ssdeep * “ to get all hashes for all files

After getting the fuzzy hashes now we can compare these fuzzy hashes with another hashes to get the similarity among these files, for that we also need to create the hash DB (Like Saving Hashes in Text File) by simple run the below command.

Ignore the Error — Any file is Created

Now, lets compare the fuzzy hashed and see the similarity match

Match Results
  1. Malware1 matches with Malware1–100% which is expected since both are same file.
  2. Malware1 matches with Malware1.1–83% similarity check done. which shown these file are similar but different version. And same goes for Malware2.1 match with Malware2–96%

In the conclusion you also match these hashes with all the file hashes using below command.

Final Result

Now we can able to see the complete similarity check between all the malware files using fuzzy hashing.

For more options try below command.

Help Command

Thanks for Reading.

--

--

Sathish Sivaprakash

Threat Intelligence Analyst and Security Automation | Located in Abu Dhabi, UAE.