Welcome to the RotaJakiro Lab walkthrough, where we'll be investigating a sophisticated Linux malware sample that has drawn attention for its unusual persistence and evasion capabilities. This malware was flagged when a company's Linux server exhibited unusual internet traffic patterns, and despite appearing as a legitimate program, it demonstrated resilience against termination attempts and kept running even after being stopped. In this analysis, we'll employ a variety of malware analysis techniques and tools to uncover how RotaJakiro operates beneath the surface. Our approach will combine both static analysis, examining the file without execution, and dynamic analysis, observing the malware's behavior in a controlled environment. We'll use tools such as Ghidra for reverse engineering, GDB/pwndbg for debugging, and Wireshark for network traffic analysis to peel back the layers of this complex threat. Throughout this walkthrough, we'll explore how the malware achieves persistence on infected systems, the mechanisms it uses to hide its presence from both users and security tools, its networking capabilities for command and control, and the anti-analysis techniques it employs to make reverse engineering more challenging.
The techniques we'll demonstrate are essential skills for any malware analyst facing sophisticated threats. By understanding how RotaJakiro functions, we can develop better detection and prevention strategies against similar malware in the future. Let's dive into our investigation into this Linux malware specimen and uncover its secrets.