evild3ad
commented
4 years ago OK...it's because of my used display filter. I switched to following display filter: (http.request or tls.handshake.type == 1) and !(ssdp)
When I click on a frame with my destination ip 68.1.115.106 I get following JA3 hash: 7dd50e112cd23734a310b90f6f44a7cd
Hi,
I'm using Wireshark v3.2.1 on Windows and used following PCAP for testing the LUA script: PCAP: https://www.malware-traffic-analysis.net/2020/01/29/2020-01-29-Qbot-infection-traffic.pcap.zip Blog: https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/
Display Filter: ip.addr eq 68.1.115.106 and tls.handshake.type eq 11
I used Network Miner Professional to get the JA3 hash: 7dd50e112cd23734a310b90f6f44a7cd I found this blacklisted JA3 hash on SSLBL by abuse.ch: https://sslbl.abuse.ch/ja3-fingerprints/7dd50e112cd23734a310b90f6f44a7cd/
ja3.lua gives me following JA3 hash: 7c02dbae662670040c7af9bd15fb7e2f
Please check. Thank you!