============================================================
  Java Malware Analysis
============================================================

  Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis.

────────────────────────────────────────────────────────────

  Step 1: Archive Inspection
  Tools: unzip, file
  Extract JAR contents: unzip <file.jar> -d output/.
  Examine META-INF/MANIFEST.MF for Main-Class entry
  point. List all .class files.

    $ unzip -P infected sample.zip
    $ file specimen.exe

  Step 2: Decompilation
  Tools: cfr, jd-gui
  Decompile with CFR: cfr <file.jar> --outputdir
  output/. Or use JD-GUI for visual browsing. CFR
  handles modern Java (lambdas, try-with-resources)
  better.

    $ cfr <file.jar> --outputdir output/
    $ jd-gui <file.jar>

  Step 3: Multi-Decompiler Comparison
  Tools: cfr, procyon
  If one decompiler fails on a class: try Procyon.
  Compare outputs. Some obfuscators break specific
  decompilers while others handle them fine.

    $ cfr <file.jar> --outputdir output/

  Step 4: Code Analysis
  Tools: visual-studio-code
  Review decompiled source. Search for: Runtime.exec()
  (command execution), URLConnection (network), Cipher
  (crypto), File I/O operations, reflection
  (Class.forName).

    $ code filename.js

  Step 5: Resource Extraction
  Tools: strings
  Extract embedded resources and strings. Check for:
  encoded payloads in resources, config files, embedded
  binaries. Base64-encoded content is common.

    $ strings binary.exe

  Step 6: Document Findings
  Record: entry point class, malicious methods,
  URLs/IPs, downloaded payloads, commands executed, Java
  version requirements.

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
