JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence. I is developed and maintained by Salesforce (https://github.com/salesforce/ja3)
Systems supporting JA3 fingerprints:
Vectra Cognito Platform
The project was open sourced in 2017 (https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41)
For more details on what you can see and do with JA3 and JA3S, please see this DerbyCon 2018 talk:
MISP Support for JA3 fingerprints
The support has been added into MISP, and with the latest release (v2.4.99 (af8d2007d2e80eb1d8229960eff52a7e3fc93800) ) - https://github.com/MISP/MISP/pull/3974/files the JA3 fingerprint has been updated to have its own data type. In the previous versions the JA3 fingerprint was mapped to data type MD5, but are now getting its own “ja3-fingerprint-md5” -datatype.
For customers with access to the eCrimeLabs Cratos REST API you can now extract these as well, for import into your security components or toolbox.
eCrimeLabs has created a small python script that takes an pcap file as input and extracts the JA3 fingerprints. When these are extracted they are either added to an existing event or a new is created.
Source code can be downloaded here https://github.com/eCrimeLabs/ja3toMISP
Detecting IceID(BOKBOT) with JA3
As an example of the effectiveness of the JA3 fingerprints PCAP’s from two different campaigns of the IceID malware was used in the below example:
Taking the PCAP’s from the two articles I found 4 that was mentioned to be related to IceID, all realted to different samples and C2’servers.
This resulted in detection of 4 different IP’s that was related to IceID C2 severs, but in common was it that they generated the same JA3 fingerprint: 1d095e68489d3c535297cd8dffb06cb9