Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal

VirusTotal has incorporated a powerful new tool to fight against
malware: JA4 client fingerprinting. This feature allows
security researchers to track and identify malicious files based
on the unique characteristics of their TLS client communications.



JA4: A More Robust Successor to JA3

JA4,
developed by
FoxIO, represents a significant
advancement over the older JA3 fingerprinting method. JA3’s
effectiveness had been hampered by the increasing use of TLS
extension randomization in https clients, which made
fingerprints
less consistent
. JA4 was specifically designed to be
resilient to this randomization, resulting in more stable and
reliable fingerprints.


Unveiling the Secrets of the Client
Hello

JA4 fingerprinting focuses on
analyzing the
TLS Client Hello packet
, which is sent unencrypted from
the client to the server at the start of a TLS connection.
This packet contains a treasure trove of information that can
uniquely identify the client application or its underlying
TLS library. Some of the key elements extracted by JA4
include:

  • TLS
    Version: The version of TLS supported by the
    client.
  • Cipher
    Suites: The list of cryptographic algorithms the client can
    use.
  • TLS
    Extensions: Additional features and capabilities supported
    by the client.
  • ALPN
    (Application-Layer Protocol Negotiation): The
    application-level protocol, such as HTTP/2 or HTTP/3, that
    the client wants to use after the TLS
    handshake.


JA4 in Action: Pivoting and Hunting on
VirusTotal

VirusTotal has integrated JA4
fingerprinting into its platform through the behavior_network
file
search modifier.
 This allows analysts to quickly
discover relationships between files based on their JA4
fingerprints.

To find the JA4 value, navigate to the “behavior” section of
the desired sample and locate the TLS subsection. In addition
to JA4, you might also find JA3 or JA3S there.

Example Search: Let’s say you’ve encountered a suspicious
file that exhibits the JA4 fingerprint
“t10d070600_c50f5591e341_1a3805c3aa63” during VirusTotal’s
behavioral analysis.

You can click on this JA4 to pivot using the
search query
behavior_network:t10d070600_c50f5591e341_1a3805c3aa63

finding other files with the same fingerprint This search
will pivot you to additional samples that share the same JA4
fingerprint, suggesting they might be related. This could
indicate that these files are part of the same malware family
or share a common developer or simply share a common TLS
library.




Wildcard Searches

To broaden your search, you can
use wildcards within the JA4 hash. For instance, the search:

behaviour_network:t13d190900_*_97f8aa674fd9

Returns files that match the
JA4_A and JA4_C components
of the JA4 hash while allowing
for variations in the middle section, which often corresponds
to the cipher suite. This technique is useful for identifying
files that might use different ciphers but share other JA4
characteristics.



YARA Hunting Rules: Automating JA4-Based
Detection

YARA hunting rules using the
“vt” module can be written to
automatically detect files based on their JA4 fingerprints.
Here’s an example of a YARA rule that targets a specific JA4
fingerprint:



This rules will flag any file submitted to VirusTotal that
exhibits the matching JA4 fingerprint. The first example only
matches “t12d190800_d83cc789557e_7af1ed941c26” during
behavioral analysis. The second rule will match a regular
expression /t10d070600_.*_1a3805c3aa63/, only matching JA4_A
and JA4_C components, excluding the JA4_B cipher suite. These
fingerprints could be linked to known malware, a suspicious
application, or any TLS client behavior that is considered
risky by security analysts.

JA4: Elevating Threat
Hunting on VirusTotal

VirusTotal’s adoption
of JA4 client fingerprinting will provide users with an
invaluable tool for dissecting and tracking TLS client
behaviors, leading to enhanced threat hunting, pivoting, and
more robust malware identification.

Happy Hunting.

Continue reading Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal

Elephants ‘sing’ like a barbershop quartet when it’s time to get moving

A fascinating new insight into elephant communication has been uncovered, with researchers finding that a group of males will harmonize a rumbling sound, from one to the next, to signal that it’s time for everyone to move on. They liken it to the way a… Continue reading Elephants ‘sing’ like a barbershop quartet when it’s time to get moving

Why your cat shreds the sofa – and how to get them to stop for good

If you’ve ever seen TV cat behavioralist Jackson Galaxy at work, you’ll know that while we may (well, many of us) love feline company, there’s a lot we don’t understand about their needs. Now, a new study delves deep into the domestic lives of cat fami… Continue reading Why your cat shreds the sofa – and how to get them to stop for good

CBD use during pregnancy produces strange behavior in offspring

Because it doesn’t produce perception-altering effects like THC does, cannabidiol (CBD), one of the active ingredients in cannabis, is deemed to be safe. Indeed, it’s been shown to be an effective treatment for a wide variety of health issues, from red… Continue reading CBD use during pregnancy produces strange behavior in offspring

There are solutions for anger, but ‘blowing off steam’ doesn’t work

Engaging in activities that are designed to blow off steam when you’re angry – like jogging or hitting a punching bag – probably isn’t going to be effective at reducing your anger, researchers have found. It’s better, they say, to try activities that d… Continue reading There are solutions for anger, but ‘blowing off steam’ doesn’t work

Clownfish can count – but only to bully enemies away from anemones

It’s safe to say that this distinctive orange and and white creature is one of the most recognizable fish on the planet, due largely to the 2001 hit Finding Nemo. Now, scientists have discovered they also recognize each other, counting the white stripe… Continue reading Clownfish can count – but only to bully enemies away from anemones

Time cell discovery reveals the bizarre way the nose powers actions

From sniffing out diseases and explosives, to some clever animal and dinosaur adaptations for life, the nose and its broad olfactory functions are an important, if somewhat underappreciated, part of many animals’ sensory systems.Continue ReadingCategor… Continue reading Time cell discovery reveals the bizarre way the nose powers actions

Sniffing women’s tears reduces male aggression by 44%, study finds

A fascinating study has found that sniffing female tears significantly reduced male aggression and decreased activity in aggression-related brain networks. It’s suggested that the effect, which is caused by chemical signals in tears and is also seen in… Continue reading Sniffing women’s tears reduces male aggression by 44%, study finds

Bat uses huge heart-shaped penis to maneuver female in unusual mating act

In one of the strangest animal behavior discoveries this year, male serotine bats living in a church attic in the Netherlands have been captured on camera engaging in marathon sessions of non-penetrative sex – the first-ever instance of superficial-con… Continue reading Bat uses huge heart-shaped penis to maneuver female in unusual mating act