Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal

VirusTotal has incorporated a powerful new tool to fight against
malware: JA4 client fingerprinting. This feature allows
security researchers to track and identify malicious files based
on the unique characteristics of their TLS client communications.



JA4: A More Robust Successor to JA3

JA4,
developed by
FoxIO, represents a significant
advancement over the older JA3 fingerprinting method. JA3’s
effectiveness had been hampered by the increasing use of TLS
extension randomization in https clients, which made
fingerprints
less consistent
. JA4 was specifically designed to be
resilient to this randomization, resulting in more stable and
reliable fingerprints.


Unveiling the Secrets of the Client
Hello

JA4 fingerprinting focuses on
analyzing the
TLS Client Hello packet
, which is sent unencrypted from
the client to the server at the start of a TLS connection.
This packet contains a treasure trove of information that can
uniquely identify the client application or its underlying
TLS library. Some of the key elements extracted by JA4
include:

  • TLS
    Version: The version of TLS supported by the
    client.
  • Cipher
    Suites: The list of cryptographic algorithms the client can
    use.
  • TLS
    Extensions: Additional features and capabilities supported
    by the client.
  • ALPN
    (Application-Layer Protocol Negotiation): The
    application-level protocol, such as HTTP/2 or HTTP/3, that
    the client wants to use after the TLS
    handshake.


JA4 in Action: Pivoting and Hunting on
VirusTotal

VirusTotal has integrated JA4
fingerprinting into its platform through the behavior_network
file
search modifier.
 This allows analysts to quickly
discover relationships between files based on their JA4
fingerprints.

To find the JA4 value, navigate to the “behavior” section of
the desired sample and locate the TLS subsection. In addition
to JA4, you might also find JA3 or JA3S there.

Example Search: Let’s say you’ve encountered a suspicious
file that exhibits the JA4 fingerprint
“t10d070600_c50f5591e341_1a3805c3aa63” during VirusTotal’s
behavioral analysis.

You can click on this JA4 to pivot using the
search query
behavior_network:t10d070600_c50f5591e341_1a3805c3aa63

finding other files with the same fingerprint This search
will pivot you to additional samples that share the same JA4
fingerprint, suggesting they might be related. This could
indicate that these files are part of the same malware family
or share a common developer or simply share a common TLS
library.




Wildcard Searches

To broaden your search, you can
use wildcards within the JA4 hash. For instance, the search:

behaviour_network:t13d190900_*_97f8aa674fd9

Returns files that match the
JA4_A and JA4_C components
of the JA4 hash while allowing
for variations in the middle section, which often corresponds
to the cipher suite. This technique is useful for identifying
files that might use different ciphers but share other JA4
characteristics.



YARA Hunting Rules: Automating JA4-Based
Detection

YARA hunting rules using the
“vt” module can be written to
automatically detect files based on their JA4 fingerprints.
Here’s an example of a YARA rule that targets a specific JA4
fingerprint:



This rules will flag any file submitted to VirusTotal that
exhibits the matching JA4 fingerprint. The first example only
matches “t12d190800_d83cc789557e_7af1ed941c26” during
behavioral analysis. The second rule will match a regular
expression /t10d070600_.*_1a3805c3aa63/, only matching JA4_A
and JA4_C components, excluding the JA4_B cipher suite. These
fingerprints could be linked to known malware, a suspicious
application, or any TLS client behavior that is considered
risky by security analysts.

JA4: Elevating Threat
Hunting on VirusTotal

VirusTotal’s adoption
of JA4 client fingerprinting will provide users with an
invaluable tool for dissecting and tracking TLS client
behaviors, leading to enhanced threat hunting, pivoting, and
more robust malware identification.

Happy Hunting.

Continue reading Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal

Ancient giant armadillo bones reveal oldest human life in America

When scientists recently dug up fossilized bones of a species of megafauna by a riverbank in Argentina, they found something even more fascinating than the remnants of this glyptodont. On those bones they found the type of cut marks not inflicted by ot… Continue reading Ancient giant armadillo bones reveal oldest human life in America

Hunter-gatherers were violently wiped off the map by farmers, DNA reveals

Contrary to what has long been believed, there was no peaceful transition of power from hunter-gather societies to farming communities in Europe, with new advanced DNA analysis revealing that the newcomers slaughtered the existing population, completel… Continue reading Hunter-gatherers were violently wiped off the map by farmers, DNA reveals

Robot dinosaurs let loose to demonstrate hunting techniques

Scientists have long puzzled over why some dinosaurs had feathers and wings long before they evolved the ability of flight. Experiments with a robot dinosaur may now have revealed the answer – they used them for hunting.Continue ReadingCategory: Scienc… Continue reading Robot dinosaurs let loose to demonstrate hunting techniques

Proof our ancestors were expert woodworkers 300,000 years ago

New analysis of a tool that dates back 300,000 years has revealed that our ancestors were skilled woodworkers that crafted useful hunting weapons, taking into account comfort, efficiency and longevity.Continue ReadingCategory: Materials, ScienceTags: U… Continue reading Proof our ancestors were expert woodworkers 300,000 years ago

The ‘gatherers’ myth: Women have been skilled hunters in most societies

While there has been evidence of women hunting, these historical discoveries have been treated more as the exception than the rule. But it seems women not only actively hunted in most societies, but their involvement in that role among the society was … Continue reading The ‘gatherers’ myth: Women have been skilled hunters in most societies

Helle Rein knife is an ode to reindeer and classic Norwegian design

Norwegian knife maker Helle crafts some of the most beautiful knives the world over. Its latest is particularly special, celebrating the past while making a call to action for the future. The new limited-edition Rein knife honors the company’s heritage… Continue reading Helle Rein knife is an ode to reindeer and classic Norwegian design

A return to our hunter-gatherer roots may benefit child development

Pairing an evolutionary anthropologist with a child psychiatrist has produced a new study that provides interesting insights into how children’s mental well-being and education might be improved by adopting the hunter-gatherer childrearing practices th… Continue reading A return to our hunter-gatherer roots may benefit child development

Study suggests hunters may have caused rhinos to evolve smaller horns

If certain animals posses a trait that decreases their chance of survival, then that the trait is less likely to be passed along to offspring. Such appears to be the case with rhinos hunted for their large horns, according to a recent analysis of photo… Continue reading Study suggests hunters may have caused rhinos to evolve smaller horns

“World’s lightest 4×4” gets disabled folk back to the great outdoors

North Carolina company Outrider USA has launched what it claims is the lightest production 4×4 ever. The new Cougar is an all-electric, single-seat off-road vehicle designed to put outdoor adventures back on the menu for people with reduced mobility.Co… Continue reading “World’s lightest 4×4” gets disabled folk back to the great outdoors