Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Analyzing JAR Files

Overview of JAR Files

  • JAR (Java ARchive): A cross-platform file format used for packaging Java class files and associated metadata and resources into a single file.

  • Cross-Platform Benefit: JAR files can be used across various operating systems like Windows, Linux, Mac, and Android, which can potentially affect multiple endpoints.

Tools for Analyzing JAR Files

  1. jd-gui: A tool for decompiling Java class files in JAR archives to view source code.

  2. Visual Studio Code (VS Code) with Java Extension Pack: Provides Java development features and debugging capabilities.

Steps for Analysis

  1. Setup Environment:

    • Install Visual Studio Code: Ensure it is installed from previous sessions.

    • Install Java Extension Pack:

      • Open VS Code.

      • Go to Extensions (square blocks icon).

      • Search for and install Java Extension Pack by Microsoft.

    • Run FakeNet: To intercept outgoing traffic during analysis.

  2. Analyze JAR File:

    • Open JAR File in jd-gui:

      • Launch jd-gui and open the JAR file or drag and drop it into the tool.

      • Inspect the MANIFEST.MF file found under META-INF to identify the entry point class (e.g., Xforce).

  3. Decompile and Save Source Code:

    • Decompiled Source:

      • View and analyze the decompiled source code in jd-gui.

      • Save the decompiled sources by selecting File > Save All Sources.

    • Extract Source:

      • Extract the saved archive into a folder.

  4. Debug with VS Code:

    • Open Decompiled Source:

      • In VS Code, open the folder containing the decompiled Java source files.

    • Set Breakpoints:

      • Open the entry point class (e.g., Xforce.java).

      • Place a breakpoint at the first line of the main method.

    • Run and Debug:

      • Click the debug icon and select Run and Debug.

      • If errors occur, resolve them by importing missing Java packages. Use Quick Fix to handle unresolved names.

      • Save changes and continue debugging.

    • Monitor Network Activity:

      • Step through the code to observe interactions. Check FakeNet for network requests and payloads.

      • Look for GET requests or payload downloads (e.g., dummy.exe), which indicates the JAR is a payload downloader.

Summary

  • JAR File Analysis:

    • Decompile the JAR using jd-gui to view source code.

    • Debug the decompiled source in VS Code with Java Extension Pack.

    • Monitor network activity to understand payload behavior.

These steps help in understanding the functionality and behavior of Java-based malware by inspecting and debugging JAR files.

PreviousAnalyzing ASPX WebshellsNextSAMPLE NOTES (of Notes.txt)

Last updated 9 months ago