Introducing JA4+ Fingerprints in Validin

Validin has added support for JA4X fingerprints from the JA4+ suite to its platform to detect structural anomalies in X.509 certificates and improve hunting for malicious infrastructure. The post demonstrates using JA4X to uncover and narrow C2 infrastructure associated with BianLian and QuasarRAT, including example fingerprints and an advanced search combining a JA4X value with cert.not_after=”9999-12-31T23:59:59Z”. #BianLian #QuasarRAT

Keypoints

Validin now supports JA4X fingerprints (part of the JA4+ suite) across certificates collected after January 13th, processing ~400 million certificates per day.
JA4X fingerprints concatenate three hashes representing issuer RDN, subject RDN, and certificate extensions to fingerprint certificate generation rather than content.
JA4X values appear in the Host Responses slideout and the Host Connections tab and are searchable via core search and the advanced field cert.fingerprint_ja4x.
JA4X is useful for finding C2 infrastructure because malicious operators often share custom certificate generation; an example fingerprint (e7bc7ebc3d9e_e7bc7ebc3d9e_a704c60b6818) returned high-confidence BianLian indicators.
A QuasarRAT JA4X fingerprint (7022c563de38_7022c563de38_0147df7a0c11) initially matched 1,125 IPs; combining the JA4X with cert.not_after=”9999-12-31T23:59:59Z” produced a smaller, higher-confidence subset for verification.
Validin plans to add further JA4+ fingerprints and invites user feedback on prioritization via [email protected].

MITRE Techniques

Indicators of Compromise

[IP Address ] suspected C2 and matched JA4X search results – 194.48.248.75, 139.59.246.150, and 27 more IPs
[JA4X fingerprint ] fingerprints used to link certificates to malware families – e7bc7ebc3d9e_e7bc7ebc3d9e_a704c60b6818 (associated with BianLian), 7022c563de38_7022c563de38_0147df7a0c11 (associated with QuasarRAT)
[Certificate Not After ] unusual maximum expiration used to filter likely malicious certificates – “9999-12-31T23:59:59Z”