# Java Malware Analysis
> Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis.

## Steps

### Step 1: Archive Inspection
**Tools:** [[tools/unzip|unzip]], [[tools/file|file]]

Extract JAR contents: unzip <file.jar> -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files.

```bash
unzip -P infected sample.zip
file specimen.exe
```

### Step 2: Decompilation
**Tools:** [[tools/cfr|cfr]], [[tools/jd-gui|jd-gui]]

Decompile with CFR: cfr <file.jar> --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better.

```bash
cfr <file.jar> --outputdir output/
jd-gui <file.jar>
```

### Step 3: Multi-Decompiler Comparison
**Tools:** [[tools/cfr|cfr]], [[tools/procyon|procyon]]

If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine.

```bash
cfr <file.jar> --outputdir output/
```

### Step 4: Code Analysis
**Tools:** [[tools/visual-studio-code|visual-studio-code]]

Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName).

```bash
code filename.js
```

### Step 5: Resource Extraction
**Tools:** [[tools/strings|strings]]

Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common.

```bash
strings binary.exe
```

### Step 6: Document Findings

Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements.

#java #jar #decompilation #cfr #jd-gui #workflow