Chapter 0¶
Disclaimer : There is no such chapter in the actual Practical Malware Analysis book.
- In the midst of working with a few malware samples, I realised that some of them have similar code structure, functions and imports despite difference in hash.
- The purpose of this chapter is to prevent double work for malware analysis.
- Whilst I understand the reason for using the same malware (lesson objectives) I am using the malware in this book as samples to practice on, build an analysis workflow and gain confidence hence the need to not do double work.
- This will also has the added benefit of teaching how to identify variants of the same malware or when polymorphism techniques are used.
SSDEEP¶
- A quick and dirty method employed here will be to use this tool SSDEEP which is a fuzzy hashing tool.
- While there are other techniques used like ImpHash and section hash, SSDEEP is the only tool known to me that can do it at scale and automatically.
ssdeep -d -r -c ./Folder_with_malware
Results¶
| File A | File B | Similarities (%) |
|---|---|---|
| /Chapter_15L/Lab15-01.exe | /Chapter_7L/Lab07-02.exe | 36 |
| /Chapter_15L/Lab15-03.exe | /Chapter_15L/Lab15-01.exe | 24 |
| /Chapter_15L/Lab15-02.exe | /Chapter_15L/Lab15-01.exe | 32 |
| /Chapter_15L/Lab15-02.exe | /Chapter_15L/Lab15-03.exe | 29 |
| /Chapter_1L/Lab01-01.dll | /Chapter_7L/Lab07-03.dll | 100 |
| /Chapter_1L/Lab01-01.exe | /Chapter_7L/Lab07-03.exe | 100 |
| /Chapter_18L/Lab18-02.exe | /Chapter_1L/Lab01-03.exe | 100 |
| /Chapter_5L/Lab05-01.dll | /Chapter_17L/Lab17-02.dll | 93 |
| /Chapter_12L/Lab12-02.exe | /Chapter_17L/Lab17-03.exe | 60 |
| /Chapter_12L/Lab12-04.exe | /Chapter_1L/Lab01-04.exe | 99 |
| /Chapter_3L/Lab03-03.exe | /Chapter_17L/Lab17-03.exe | 60 |
| /Chapter_3L/Lab03-03.exe | /Chapter_12L/Lab12-02.exe | 100 |
| /Chapter_3L/Lab03-04.exe | /Chapter_9L/Lab09-01.exe | 100 |