We begin start off by analyzing main() in the decompiler view where we see the LIBC function int daemon(int nochdir, int noclose). This function carries out daemonization of a process as its name suggests. A Ghidra Function ID signature was not matched for this particular function but it was fairly simple to recognize the routine as daemonization because for POSIX its performed as a series syscalls. If you are familiar with the programmatic steps to daemonize in a POSIX environment it’s easy to recognize.

Here is my first look/attempt at analyzing MATA a multi-platform APT Lazarous group. This particular sample is for a Linux environment. We start with basic static analysis by running the file utility on the binary. We see the binary is of the ELF binary format, statically linked, stripped of symbols and compiled for x86_64. A quick look at the ELF Header using utility readelf output at the type field tells us this binary is an executable (elf type ET_EXEC).

Welcome to my blog where I share things that are interesting to myself and hopefully useful to you. My primary focus (right now) is the engineering of ELF binary technologies, specifically file infection algorithms and techniques. However I generally have an interest in low-level Computer Science to develop my offensive low-level computing security skillset, so my blog content as you can imagine can reach outside the scope of ELF binaries. TLDR; I can be all over the place (lolz).