Skip to content

ScanJnlp

Analyzes Java Network Launch Protocol (JNLP) files.

JNLP files, used by Java Web Start technology, can launch Java applications from a web browser. While facilitating legitimate applications, they can also be abused for malicious purposes such as distributing malware or executing phishing attacks.

Scanner Type: Collection

Attributes:

Name Type Description
event dict

Stores extracted data during the scan for further analysis.
Detection Use Cases
  • External Resource Reference
    • Identify JNLP files that reference external HTTP resources, particularly those not associated with trusted domains.
Known Limitations
  • Java Dependence
    • Effectiveness is contingent on the presence and version of Java installed on the target system.
Todo
  • Improve detection of obfuscated or sophisticated threats within JNLP files.
  • Extract any other potential JNLP content / headers.
References
  • File Structure
    • https://docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/jnlpFileSyntax.html
  • Malicious Usage
    • https://www.forcepoint.com/blog/x-labs/java-network-launch-protocol
    • https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon
Source code in strelka/src/python/strelka/scanners/scan_jnlp.py 
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
class ScanJnlp(strelka.Scanner):
    """
    Analyzes Java Network Launch Protocol (JNLP) files.

    JNLP files, used by Java Web Start technology, can launch Java applications from a web browser. While facilitating
    legitimate applications, they can also be abused for malicious purposes such as distributing malware or executing
    phishing attacks.

    Scanner Type: Collection

    Attributes:
        event (dict): Stores extracted data during the scan for further analysis.

    Detection Use Cases:
        - **External Resource Reference**
            - Identify JNLP files that reference external HTTP resources, particularly those not associated with trusted
            domains.

    Known Limitations:
        - **Java Dependence**
            - Effectiveness is contingent on the presence and version of Java installed on the target system.

    Todo:
        - Improve detection of obfuscated or sophisticated threats within JNLP files.
        - Extract any other potential JNLP content / headers.

    References:
        - **File Structure**
            - https://docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/jnlpFileSyntax.html
        - **Malicious Usage**
            - https://www.forcepoint.com/blog/x-labs/java-network-launch-protocol
            - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon
    """

    def scan(self, data, file, options, expire_at):
        """
        Scans the given data for JNLP-related information.

        Extracts 'codebase' and 'href' attributes from JNLP and JAR tags to detect potential malicious activities.

        Args:
            data (bytes): Data of the file being scanned.
            file (File): File object being scanned.
            options (dict): Options for the scanner.
            expire_at (datetime): Expiration time of the scan result.
        """
        # Initialize variables for 'codebase' and 'href' attributes
        codebase = ""
        href = ""

        # Parse the XML to find 'jnlp' and 'jar' elements
        for elem, _ in iterate_xml_elements(data, tags=["jnlp", "jar"]):
            if elem.tag == "jnlp":
                codebase = elem.get("codebase", "").rstrip("/")
            elif elem.tag == "jar":
                href = elem.get("href", "").lstrip("/")

        # If both 'codebase' and 'href' are found, construct the full resource URL
        if codebase and href:
            self.event["resource"] = f"{codebase}/{href}"

scan(data, file, options, expire_at)

Scans the given data for JNLP-related information.

Extracts 'codebase' and 'href' attributes from JNLP and JAR tags to detect potential malicious activities.

Parameters:

Name Type Description Default
data bytes

Data of the file being scanned.

 required
file File

File object being scanned.

 required
options dict

Options for the scanner.

 required
expire_at datetime

Expiration time of the scan result.

 required
Source code in strelka/src/python/strelka/scanners/scan_jnlp.py 
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
def scan(self, data, file, options, expire_at):
    """
    Scans the given data for JNLP-related information.

    Extracts 'codebase' and 'href' attributes from JNLP and JAR tags to detect potential malicious activities.

    Args:
        data (bytes): Data of the file being scanned.
        file (File): File object being scanned.
        options (dict): Options for the scanner.
        expire_at (datetime): Expiration time of the scan result.
    """
    # Initialize variables for 'codebase' and 'href' attributes
    codebase = ""
    href = ""

    # Parse the XML to find 'jnlp' and 'jar' elements
    for elem, _ in iterate_xml_elements(data, tags=["jnlp", "jar"]):
        if elem.tag == "jnlp":
            codebase = elem.get("codebase", "").rstrip("/")
        elif elem.tag == "jar":
            href = elem.get("href", "").lstrip("/")

    # If both 'codebase' and 'href' are found, construct the full resource URL
    if codebase and href:
        self.event["resource"] = f"{codebase}/{href}"

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
jnlp_file

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Field Name
Field Type
elapsed
str
flags
list
resource
str

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

    test_scan_event = {
        "elapsed": 0.001,
        "flags": [],
        "resource": "https://example.com/uplib.jar",
    }