{"description": "Enterprise techniques used by RotaJakiro, ATT&CK software S1078 (v1.0)", "name": "RotaJakiro (S1078)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1119", "comment": "Depending on the Linux distribution, [RotaJakiro](https://attack.mitre.org/software/S1078) executes a set of commands to collect device information and sends the collected information to the C2 server.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.013", "comment": "When executing with user-level permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) can install persistence using a .desktop file under the `$HOME/.config/autostart/` folder.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "comment": "Depending on the Linux distribution and when executing with root permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) may install persistence using a `.conf` file in the `/etc/init/` folder.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "Depending on the Linux distribution and when executing with root permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) may install persistence using a `.service` file under the `/lib/systemd/system/` folder.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) uses ZLIB Compression to compresses data sent to the C2 server in the `payload` section network communication packet.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) uses the AES algorithm, bit shifts in a function called `rotate`, and an XOR cipher to decrypt resources required for persistence, process guarding, and file locking. It also performs this same function on encrypted stack strings and the `head` and `key` sections in the network packet structure used for C2 communications.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.004", "comment": "When executing with non-root level permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) can install persistence by adding a command to the .bashrc file that executes a binary in the  `${HOME}/.gvfsd/.profile/` folder.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) sends device and other collected data back to the C2 using the established C2 channels over TCP. (Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "When executing with non-root permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) uses the the `shmget API` to create shared memory between other known [RotaJakiro](https://attack.mitre.org/software/S1078) processes. This allows processes to communicate with each other and share their PID.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) has used the filename `systemd-daemon` in an attempt to appear legitimate.(Citation: netlab360 rotajakiro vs oceanlotus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "When executing with non-root permissions, [RotaJakiro](https://attack.mitre.org/software/S1078) uses the the `shmget` API to create shared memory between other known [RotaJakiro](https://attack.mitre.org/software/S1078) processes. [RotaJakiro](https://attack.mitre.org/software/S1078) also uses the `execvp` API to help its dead process \"resurrect\".(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) uses a custom binary protocol using a type, length, value format over TCP.(Citation: netlab360 rotajakiro vs oceanlotus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) uses a custom binary protocol over TCP port 443.(Citation: netlab360 rotajakiro vs oceanlotus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) can monitor the `/proc/[PID]` directory of known [RotaJakiro](https://attack.mitre.org/software/S1078) processes as a part of its persistence when executing with non-root permissions. If the process is found dead, it resurrects the process. [RotaJakiro](https://attack.mitre.org/software/S1078) processes can be matched to an associated Advisory Lock, in the `/proc/locks` folder, to ensure it doesn't spawn more than one process.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) uses dynamically linked shared libraries (`.so` files) to execute additional functionality using `dlopen()` and `dlsym()`.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[RotaJakiro](https://attack.mitre.org/software/S1078) executes a set of commands to collect device information, including `uname`.  Another example is the `cat /etc/*release | uniq` command used to collect the current OS distribution.(Citation: RotaJakiro 2021 netlab360 analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RotaJakiro", "color": "#66b1ff"}]}