In this blog post, I’ll go over how to utilize JA3 with JA3S as a method to fingerprint the TLS negotiation between client and server. This combined fingerprinting can assist in producing higher fidelity identification of the encrypted communication between a specific client and its server. For example —
Standard Tor Client: JA3 = e7d705a3286e19ea42f587b344ee6865 ( Tor Client ) JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc( Tor Server Response )
The Tor servers always respond to the Tor client in exactly the same way, providing higher confidence that the traffic is indeed Tor. Further examples —
Trickbot malware: JA3 = 6734f37431670b3ab4292b8f60f29984 ( Trickbot ) JA3S = 623de93db17d313345d7ea481e7443cf( C2 Server Response )
Emotet malware: JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 ( Emotet ) JA3S = 80b3a14bccc8598a1f3bbe83e71f735f ( C2 Server Response )
In these malware examples, the command and control server always responds to the malware client in exactly the same way; it does not deviate. So even though the traffic is encrypted and one may not know the command and control server’s IPs or domains as they are constantly changing, we can still identify, with reasonable confidence, the malicious communication by fingerprinting the TLS negotiation between client and server.