irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
bfc3042b9b94fa294d2b44be2d07d3b86608d17c
docker_file_analysis/data/generated/workflows/java-analysis-workflow.txt
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

61 lines
2.1 KiB
Plaintext
Raw Blame History

============================================================
Java Malware Analysis
============================================================
Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis.
────────────────────────────────────────────────────────────
Step 1: Archive Inspection
Tools: unzip, file
Extract JAR contents: unzip <file.jar> -d output/.
Examine META-INF/MANIFEST.MF for Main-Class entry
point. List all .class files.
$ unzip -P infected sample.zip
$ file specimen.exe
Step 2: Decompilation
Tools: cfr, jd-gui
Decompile with CFR: cfr <file.jar> --outputdir
output/. Or use JD-GUI for visual browsing. CFR
handles modern Java (lambdas, try-with-resources)
better.
$ cfr <file.jar> --outputdir output/
$ jd-gui <file.jar>
Step 3: Multi-Decompiler Comparison
Tools: cfr, procyon
If one decompiler fails on a class: try Procyon.
Compare outputs. Some obfuscators break specific
decompilers while others handle them fine.
$ cfr <file.jar> --outputdir output/
Step 4: Code Analysis
Tools: visual-studio-code
Review decompiled source. Search for: Runtime.exec()
(command execution), URLConnection (network), Cipher
(crypto), File I/O operations, reflection
(Class.forName).
$ code filename.js
Step 5: Resource Extraction
Tools: strings
Extract embedded resources and strings. Check for:
encoded payloads in resources, config files, embedded
binaries. Base64-encoded content is common.
$ strings binary.exe
Step 6: Document Findings
Record: entry point class, malicious methods,
URLs/IPs, downloaded payloads, commands executed, Java
version requirements.
────────────────────────────────────────────────────────────
Tip: 'fhelp cheat <tool>' for full examples
'Ctrl+G' for interactive cheatsheet browser
Reference in New Issue View Git Blame Copy Permalink