,

Release of new tool importing JA3 fingerprints to MISP

,

Background

JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence. I is developed and maintained by Salesforce (https://github.com/salesforce/ja3)

Systems supporting JA3 fingerprints:

  • Moloch

  • Trisul NSM

  • NGiNX

  • MISP

  • Darktrace

  • Suricata

  • Elastic.co Packetbeat

  • Splunk

  • MantisNet

  • ICEBRG

  • Redsocks

  • NetWitness

  • ExtraHop

  • Vectra Cognito Platform

  • Corvil

  • Java

The project was open sourced in 2017 (https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41)

For more details on what you can see and do with JA3 and JA3S, please see this DerbyCon 2018 talk:

MISP Support for JA3 fingerprints

The support has been added into MISP, and with the latest release (v2.4.99 (af8d2007d2e80eb1d8229960eff52a7e3fc93800)  ) - https://github.com/MISP/MISP/pull/3974/files the JA3 fingerprint has been updated to have its own data type. In the previous versions the JA3 fingerprint was mapped to data type MD5, but are now getting its own “ja3-fingerprint-md5” -datatype.

For customers with access to the eCrimeLabs Cratos REST API you can now extract these as well, for import into your security components or toolbox.

JA3toMISP

eCrimeLabs has created a small python script that takes an pcap file as input and extracts the JA3 fingerprints. When these are extracted they are either added to an existing event or a new is created.

Source code can be downloaded here https://github.com/eCrimeLabs/ja3toMISP

Execution of the ja3toMISP

Based on the run from the Python script two MISP JA3 objects is created.

Detecting IceID(BOKBOT) with JA3

As an example of the effectiveness of the JA3 fingerprints PCAP’s from two different campaigns of the IceID malware was used in the below example:

https://www.malware-traffic-analysis.net/2018/09/06/index2.html
https://www.malware-traffic-analysis.net/2018/12/07/index.html


Taking the PCAP’s from the two articles I found 4 that was mentioned to be related to IceID, all realted to different samples and C2’servers.

  • 2018-09-06-Emotet-infection-with-IcedID-and-AZORult.pcap

  • 2018-09-06-Hancitor-malspam-infection-traffic.pcap

  • 2018-12-03-Emotet-infection-with-IcedID.pcap

  • 2018-12-05-Emotet-infection-with-IcedID.pcap

  • 2018-12-07-Emotet-infection-with-IcedID.pcap

This resulted in detection of 4 different IP’s that was related to IceID C2 severs, but in common was it that they generated the same JA3 fingerprint: 1d095e68489d3c535297cd8dffb06cb9