java_triage.py is a static triage tool for suspicious Java codebases.
It recursively scans .java files, decodes specific integer-array string obfuscation patterns, scans suspicious string literals, surfaces behavioral indicators, finds suspicious artifact files, and can optionally resolve runtime C2 hints from on-chain config data.
- Decodes
load(new int[]{...}, new int[]{...}, k1, k2)string obfuscation patterns. - Scans plain Java string literals for suspicious indicators (URLs, command execution strings, payload paths, encoded blobs, and keyword signals).
- Detects Discord indicators, including bot tokens, webhook URLs, and snowflake IDs (guild/channel/user/role/application).
- Detects additional comms indicators, including Telegram bot tokens/API patterns and generic non-Discord webhook patterns.
- Detects additional encoded literals (Base64/Base32/hex/XOR-recovered text where possible).
- Classifies decoded strings (URL, RPC templates, credential fields, paths, crypto-related values, etc.).
- Flags behavior indicators such as:
- dynamic class loading/invocation
- HTTP payload download and exfiltration patterns
- native payload extraction/loading
- command execution and dropper/elevation helpers
- CMSTP/UAC bypass and Defender tampering indicators
- Splits assessment behavior findings into:
benignneeds_reviewsuspicious
- Assigns behavior severities (
critical/high/medium/low/info) and reports severity counts. - Adds a metadata preface (
Basic Properties,JAR Info,Bundle Info) to text/rich reports. - Optionally enriches metadata with
Vhash,SSDEEP,TLSH,TrID, andMagikawhen local tools/libraries are available. - Identifies suspicious artifacts (
*.jar.*, large opaque.dat/.bin, embedded resource payloads). - Produces:
- human-readable text output (with optional rich terminal tables)
- machine-readable JSON output
String literal scanning ("text" style) includes:
- URLs and endpoint-like strings
- command/lolbin patterns (
cmd.exe,powershell,cmstp, etc.) - path/payload indicators (
.exe,.dll,.jar,.dat,.bin, temp/appdata paths) - high-entropy encoded blobs (base64/hex-like literals)
- suspicious keywords (
token,authorization,webhook,defender, etc.)
Behavior scanning also includes:
- environment variable access (
System.getenv) - dynamic class loading via
URLClassLoader(with extra signal if remote HTTP hosts are present) - local Minecraft session/account file path references (
session.json,launcher_accounts.json,.minecraft) with optional exfiltration context
Discord-focused detection includes:
- bot tokens
- webhook URLs (
discord.com/api/webhooks/...) - snowflake IDs (
17-20digit IDs) - contextual IDs in literals containing labels like
guild_id,channel_id,user_id,role_id,application_id
I saw this on YouTube:
It was yet another super obvious Minecraft account stealer/trojan using a fake video to entice fools to lose their accounts.
This led me to make this Python app to quickly triage such obvious distributions. Turns out yes, it does steal your Minecraft credentials and sends it to a Discord webhook, obfuscated behind another API. It then downloads another trojan which using JNIC (poorly) extracts a Windows binary for a second payload. Given that payload wasn't also Java my interest stopped there for now.
Update: Mediafire has added a warning in response to this repo, how nice of them!
- Python 3.9+ recommended
- Optional:
richfor enhanced terminal output - Optional CLI tools for metadata enrichment:
ssdeep,tlsh,trid,vhash - Optional Python package for metadata enrichment:
magika
No package install is required for the script itself.
# optional, for rich UI output
pip install rich
# optional, for magika metadata enrichment
pip install magikapython java_triage.py [target]# Scan current directory
python java_triage.py
# Scan a specific unpacked source tree
python java_triage.py ./sample_project
# JSON output to stdout
python java_triage.py ./sample_project --json
# Save JSON report
python java_triage.py ./sample_project --json --out report.json
# Disable any network lookups during analysis
python java_triage.py ./sample_project --no-network
# Wider rich output
python java_triage.py ./sample_project --rich-width 220target: folder to scan (default: current directory)--json: emit JSON instead of text--out <path>: write output to file--no-progress: disable progress messages--no-network: disable runtime C2 resolution over network--rich-width <int>: preferred rich console width for progress/final report rendering (default:120, minimum effective width:80)
Text output includes:
- Basic Properties (hashes + optional enrichments if available)
- JAR Info (manifest + archive metadata)
- Bundle Info (bundle counts, timestamps, extensions/types)
- Decode + string findings
- Assessment findings (
benign,needs_review,suspicious) - Behavioral findings (with severity)
- Artifact findings
- Runtime C2 resolution status
- Summary counts (including high-risk findings, high-risk behaviors, assessment counts, category totals, behavior severity totals)
Rich output includes:
- wider, expanded tables (
expand=True) with folded long text - dedicated metadata sections (
Basic Properties,JAR Info,Bundle Info) - dedicated
Assessment Findingstable Behavioral Findingswith risk column
JSON output structure:
{
"root": "scanned/path",
"target_metadata": {
"basic_properties": {},
"jar_info": {},
"bundle_info": {}
},
"summary": {
"high_risk_behavior_count": 0,
"behavior_severity_counts": {
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
"info": 0
},
"assessment_counts": {
"benign": 0,
"needs_review": 0,
"suspicious": 0
}
},
"assessment_summary": {
"counts": {
"benign": 0,
"needs_review": 0,
"suspicious": 0
},
"findings": {
"benign": [],
"needs_review": [],
"suspicious": []
}
},
"runtime_c2": {},
"findings": [],
"behavior_findings": [
{
"severity": "info"
}
],
"artifact_findings": []
}- This is a triage helper, not a full malware sandbox or decompiler.
- Behavioral detections are signature/heuristic based and may produce false positives or miss novel techniques.
- Network-based runtime C2 resolution (
eth_call) is best-effort and may fail due to missing indicators, RPC issues, or decoding variance. - Metadata enrichments (
SSDEEP/TLSH/TrID/Magika/Vhash) are best-effort and only appear when dependencies are present. - Do NOT rely on this as a means to ensure your safety with any java application.