An investigator finds that a suspicious binary reuses multiple coding structures and variable naming styles seen in a previous high-impact threat. Which tactic best supports drawing a reliable link between the new binary and the previously observed malicious code base?
Reviewing code stylometry to identify repeated programming conventions
Scheduling a sandbox run to observe the binary’s malicious actions
Matching binary hashes against antivirus signatures
Comparing event logs to see if both binaries triggered the same alert
Code stylometry examines programming patterns that persist across different binaries, allowing analysts to attribute samples to specific threat actor toolsets. Unlike behavior analysis or log comparison, which confirm malicious activity or operational context, stylometry links binaries based on development style, aiding in attribution. This makes it an effective method for associating unknown binaries with previously observed malicious code bases.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is code stylometry in malware analysis?
Open an interactive chat with Bash
Why is code stylometry more reliable for attribution compared to behavior analysis?
Open an interactive chat with Bash
How does code stylometry differ from comparing binary hashes?