JA4T Threat Intelligence Report

Indexalerts_1_20535

ES Hostthreats.eu.ast.co.rs:9200

Time Range2025-03-24 11:05 → 2026-03-24 11:05

Generated2026-03-24 11:05:01 UTC

Query Time26507ms

📊

114752

Total Alerts

6 correlated

🔍

Unique JA4T FPs

distinct fingerprints

🌐

433

Unique Source IPs

⚠️

High Risk FPs

score ≥ 7

❓

Unmatched in JA4DB

needs investigation

🔗

Cross-Ref Hits

JA4/JA4H matches

MSS Distribution

OS Family Distribution

Risk Score Distribution

Top Fingerprints by Alert Count

High Risk Fingerprints — score ≥ 7

4 fingerprints

10 / 10

17920_2-1-3_1380_8

CRITICAL 1 correlated alerts

⚠non-standard window size: 17920

⚠minimal TCP options: scanner/bot signature

⚠IP seen with multiple JA4T values (tool rotation)

Window17920

Options2-1-3

MSS1380

WScale8

OSMinimal stack (scanner/bot)

VPN — WireGuard / OpenVPN / IPSec (~80B)

Source IPs (2)

64.39.102.94[64.39.102.164, 64.39.102.94]

Providers

Oracle Cloud

Target Ports

443, 8081

Alert Types (7)

Country specific targeted attack

Credential Compromise Detected

Fuzzing attack

Injected Command Callback Domain Detected

+3 more

Correlated With

17920_2-1-3_8960_8

Total alerts: 517

Direct: 516

Correlated: 1

10 / 10

17920_2-1-3_8960_8

CRITICAL 1 correlated alerts

⚠non-standard window size: 17920

⚠minimal TCP options: scanner/bot signature

⚠IP seen with multiple JA4T values (tool rotation)

Window17920

Options2-1-3

MSS8960

WScale8

OSMinimal stack (scanner/bot)

Jumbo frames — datacenter / cloud environment

Source IPs (1)

[64.39.102.164, 64.39.102.94]

Providers

Oracle Cloud

Target Ports

8081

Alert Types (1)

Persistent OOB Callback Domain Activity

Correlated With

17920_2-1-3_1380_8

Total alerts: 1

Direct: 0

Correlated: 1

9 / 10

42340_2-1-3_1460_9

CRITICAL

⚠minimal TCP options: scanner/bot signature

Window42340

Options2-1-3

MSS1460

WScale9

OSMinimal stack (scanner/bot)

Direct ethernet (MTU 1500)

Source IPs (2)

[64.62.156.10, 64.62.156.108, 64.62.156.122, 64.62.156.150, 64.62.156.152, 64.62.156.162, 64.62.156.172, 64.62.156.192, 64.62.156.202, 64.62.156.204, 64.62.156.24, 64.62.156.66, 64.62.156.80, 64.62.156.94][65.49.1.10, 65.49.1.108, 65.49.1.132, 65.49.1.142, 65.49.1.172, 65.49.1.173, 65.49.1.178, 65.49.1.179, 65.49.1.182, 65.49.1.202, 65.49.1.222, 65.49.1.232, 65.49.1.38, 65.49.1.52]

Providers

Hurricane Electric

Alert Types (1)

Continuous attack from same C segment IP

Total alerts: 2

Direct: 2

Correlated: 0

8 / 10

65280_2-4-8-1-3_1360_7

HIGH 2 correlated alerts DB Match PARTIAL

⚠known OS but unusual MSS or window size

⚠IP seen with multiple JA4T values (tool rotation)

Window65280

Options2-4-8-1-3

MSS1360

WScale7

OSLinux (kernel 4.x+)

Heavy tunnel / double encapsulation (~140B)

Source IPs (9)

163.172.172.78185.93.89.43212.47.227.221212.47.234.9951.15.193.99...+4 +3 more

Providers

Limited NetworkScaleway[-, Scaleway][Amazon.com, Scaleway]

Target Ports

8083

Alert Types (13)

Attacker with IP unknown to integrated 3rd party threat Intelligence

Baithive request never seen before

Country specific targeted attack

Credential Compromise Detected

+9 more

Correlated With

64240_2-4-8-1-3_1460_9

JA4DB Match

AWS Linux 2

PARTIAL ✓ verified

Total alerts: 1641

Direct: 1639

Correlated: 2

All Fingerprints

24 unique

Fingerprint ⇅	Count ⇅	OS / App ⇅	MSS ⇅	Network Context ⇅	Risk ⇅	Source IPs	Ports	JA4DB
17920_2-1-3_1380_8 1 correlated	517 516 direct / 1 corr	Minimal stack (scanner/bot)	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	10 CRITICAL	64.39.102.94[64.39.102.164, 64.39.102.94]	443, 8081	—
17920_2-1-3_8960_8 1 correlated	1 0 direct / 1 corr	Minimal stack (scanner/bot)	8960	Jumbo frames — datacenter / cloud environment	10 CRITICAL	[64.39.102.164, 64.39.102.94]	8081	—
42340_2-1-3_1460_9	2	Minimal stack (scanner/bot)	1460	Direct ethernet (MTU 1500)	9 CRITICAL	[64.62.156.10, 64.62.156.108, 64.62.156.122, 64.62.156.150, 64.62.156.152, 64.62.156.162, 64.62.156.172, 64.62.156.192, 64.62.156.202, 64.62.156.204, 64.62.156.24, 64.62.156.66, 64.62.156.80, 64.62.156.94][65.49.1.10, 65.49.1.108, 65.49.1.132, 65.49.1.142, 65.49.1.172, 65.49.1.173, 65.49.1.178, 65.49.1.179, 65.49.1.182, 65.49.1.202, 65.49.1.222, 65.49.1.232, 65.49.1.38, 65.49.1.52]		—
65280_2-4-8-1-3_1360_7 2 correlated	1641 1639 direct / 2 corr	Linux (kernel 4.x+) AWS Linux 2	1360	Heavy tunnel / double encapsulation (~140B)	8 HIGH	163.172.172.78185.93.89.43212.47.227.221212.47.234.99 +5	8083	PARTIAL ✓
42600_2-4-8-1-3_1420_7	6	Linux (kernel 4.x+) WSL Ubuntu 22.04	1420	Unusual MSS, ~40B overhead	6 MEDIUM	34.19.116.5334.19.127.17634.19.127.215[34.19.116.53, 34.19.127.215, 34.68.34.76, 34.68.34.86]	443	PARTIAL ✓
65320_2-4-8-1-3_1420_7	3	Linux (kernel 4.x+) AWS Linux 2	1420	Unusual MSS, ~40B overhead	6 MEDIUM	34.118.249.7534.65.123.90	443	PARTIAL ✓
65320_2-4-8-1-3_1380_7	3	Linux (kernel 4.x+) AWS Linux 2	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	6 MEDIUM	34.14.68.6034.182.68.89	443	PARTIAL ✓
14400_2-4-8-1-3_1380_5	2	Linux (kernel 4.x+) WSL Ubuntu 22.04	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	6 MEDIUM	154.192.153.177	8080	PARTIAL ✓
62727_2-4-8-1-3_1460_7	1	Linux (kernel 4.x+)	1460	Direct ethernet (MTU 1500)	6 MEDIUM	16.147.255.135	8083	PARTIAL ✓
65535_2-1-3-1-1-4_1360_8	1	Windows 10/11 Windows 10	1360	Heavy tunnel / double encapsulation (~140B)	6 MEDIUM	117.136.39.30	443	PARTIAL ✓
25380_2-4-8-1-3_1424_7	1	Linux (kernel 4.x+) AWS Linux 2	1424	Unencrypted proxy/tunnel (~36B, Tencent scanner sig)	6 MEDIUM	58.87.66.28	6379	PARTIAL ✓
21900_2-4-8-1-3_1380_10 3 correlated	7 4 direct / 3 corr	Linux (kernel 4.x+) AWS Linux 2	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	5 MEDIUM	66.132.195.11166.132.195.95[66.132.172.109, 66.132.172.110, 66.132.172.128, 66.132.172.130, 66.132.172.131, 66.132.172.138, 66.132.172.143, 66.132.172.192, 66.132.172.199, 66.132.172.208, 66.132.172.212, 66.132.172.33, 66.132.172.99][66.132.172.128, 66.132.172.129, 66.132.172.130, 66.132.172.131, 66.132.172.132, 66.132.172.137, 66.132.172.182, 66.132.172.189, 66.132.172.192, 66.132.172.200, 66.132.172.201, 66.132.172.207, 66.132.172.223, 66.132.172.42, 66.132.172.43, 66.132.172.96, 66.132.172.99] +3	8080, 8081	PARTIAL ✓
64240_2-4-8-1-3_1460_9 2 correlated	112073 112071 direct / 2 corr	Linux (kernel 4.x+) WSL Ubuntu 22.04	1460	Direct ethernet (MTU 1500)	4 MEDIUM	102.129.152.177102.129.153.42102.129.153.55102.129.232.191 +371	8083	PARTIAL ✓
64240_2-4-8-1-3_1460_7	29	Linux (kernel 4.x+) WSL Ubuntu 22.04	1460	Direct ethernet (MTU 1500)	4 MEDIUM	179.43.146.226193.164.132.7289.248.168.239[195.184.76.150, 195.184.76.152, 195.184.76.244, 195.184.76.249, 195.184.76.250, 195.184.76.251, 195.184.76.253, 195.184.76.27, 195.184.76.40, 195.184.76.41, 195.184.76.42, 195.184.76.44, 195.184.76.45, 195.184.76.47, 195.184.76.72]	443	EXACT ✓
21900_2-4-8-1-3_1460_10 3 correlated	5 2 direct / 3 corr	Linux (kernel 4.x+) Ubuntu 22.04	1460	Direct ethernet (MTU 1500)	4 MEDIUM	66.132.224.81[162.142.125.193, 162.142.125.199, 162.142.125.206, 162.142.125.208, 162.142.125.209, 162.142.125.210, 162.142.125.211, 162.142.125.34, 162.142.125.35, 162.142.125.38, 162.142.125.41, 162.142.125.44, 162.142.125.47][66.132.172.128, 66.132.172.129, 66.132.172.130, 66.132.172.131, 66.132.172.132, 66.132.172.137, 66.132.172.182, 66.132.172.189, 66.132.172.192, 66.132.172.200, 66.132.172.201, 66.132.172.207, 66.132.172.223, 66.132.172.42, 66.132.172.43, 66.132.172.96, 66.132.172.99][66.132.186.160, 66.132.186.171, 66.132.186.178, 66.132.186.180, 66.132.186.183, 66.132.186.188, 66.132.186.189, 66.132.186.192, 66.132.186.198, 66.132.186.200, 66.132.186.202, 66.132.186.203, 66.132.186.205] +1	8443	PARTIAL ✓
65535_2-1-3-1-1-4_1440_8	4	Windows 10/11 Windows 10	1440	Unusual MSS, ~20B overhead	4 MEDIUM	23.101.4.52	443	PARTIAL ✓
64240_2-1-3-1-1-4_1440_8	1	Windows 10/11 Windows 10	1440	Unusual MSS, ~20B overhead	4 MEDIUM	[52.167.144.167, 52.167.144.17, 52.167.144.176, 52.167.144.183, 52.167.144.188, 52.167.144.189, 52.167.144.190, 52.167.144.191, 52.167.144.193, 52.167.144.198, 52.167.144.204, 52.167.144.211, 52.167.144.215, 52.167.144.221, 52.167.144.222, 52.167.144.229, 52.167.144.236, 52.167.144.237, 52.167.144.24]		PARTIAL ✓
64240_2-1-3-1-1-4_1380_8	393	Windows 10/11 Windows 10	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	3 LOW	117.162.193.169	443	PARTIAL ✓
64240_2-4-8-1-3_1380_7	9	Linux (kernel 4.x+) AWS Linux 2	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	3 LOW	151.115.99.171185.16.39.146194.59.31.10078.47.72.79 +1	443, 8080	PARTIAL ✓
42340_2-4-8-1-3_1380_11	2	Linux (kernel 4.x+) WSL Ubuntu 22.04	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	3 LOW	143.198.204.151	8080	PARTIAL ✓
65535_2-1-3-1-1-8-4-0_1380_6	1	macOS / iOS	1380	VPN — WireGuard / OpenVPN / IPSec (~80B)	3 LOW	87.116.179.61	8080	—
64240_2-4-8-1-3_1460_10	32	Linux (kernel 4.x+) AWS Linux 2	1460	Direct ethernet (MTU 1500)	2 LOW	185.156.73.1688.210.63.1088.210.63.1188.210.63.12 +4	8081	PARTIAL ✓
64240_2-1-3-1-1-4_1460_8	12	Windows 10/11 Windows 10	1460	Direct ethernet (MTU 1500)	2 LOW	185.218.138.15185.218.138.3988.210.63.61	8081	EXACT ✓
42340_2-4-8-1-3_1460_12	12	Linux (kernel 4.x+) WSL Ubuntu 22.04	1460	Direct ethernet (MTU 1500)	2 LOW	88.210.63.288.210.63.392.63.197.79	8081	PARTIAL ✓

Correlated Alert Fingerprint Chains

When multiple security events trigger a single correlated alert, the JA4T field contains a list of fingerprints observed in that session. Each chain below shows fingerprints that were seen together.