Biblio

Modern malware indicators utilized by the current top threat feeds are easily bypassed and generated through enigmatic methods, leading to a lack of detection capabilities for cyber defenders. Static hash-based algorithms such as MD5 or SHA generate indicators that are rendered obsolete by modifying a single byte of the source file. Conversely, fuzzy hash-based algorithms such as SSDEEP and TLSH are more robust to alterations of source information; however, these methods often utilize context boundaries that are hard to define or not based on meaningful information. In previous work, a custom binary analysis tool was created called @DisCo. In this study, four current ransomware campaigns were analyzed using TLSH fuzzy hashing and the @DisCo tool. While TLSH works on the binary level of the entire program, @DisCo works at an intermediate function level. The results from each analysis method were compared to provide validation between the two as well as introduce a narrative for using combinations of these types of methods for the creation of stronger indicators of compromise.