docker_file_analysis/data/generated/wiki/workflows/java-analysis-workflow.md

Java Malware Analysis

Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis.

Steps

Step 1: Archive Inspection

Tools: tools/unzip, tools/file

Extract JAR contents: unzip <file.jar> -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files.

unzip -P infected sample.zip
file specimen.exe

Step 2: Decompilation

Tools: tools/cfr, tools/jd-gui

Decompile with CFR: cfr <file.jar> --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better.

cfr <file.jar> --outputdir output/
jd-gui <file.jar>

Step 3: Multi-Decompiler Comparison

Tools: tools/cfr, tools/procyon

If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine.

cfr <file.jar> --outputdir output/

Step 4: Code Analysis

Tools: tools/visual-studio-code

Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName).

code filename.js

Step 5: Resource Extraction

Tools: tools/strings

Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common.

strings binary.exe

Step 6: Document Findings

Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements.

#java #jar #decompilation #cfr #jd-gui #workflow