SeDLL

Description

(Proofpoint) This DLL is used for decrypting and executing another JavaScript backdoor such as AIRBREAK. The DLL is registered by the installer using regsvr32. The DllRegisterServer export is then called, which performs checks on the commandline parameter. If the string “DR” is passed as an argument, or if the DLL is running in the active session with a username that is not “system”, the final JavaScript backdoor is decoded using a custom base64 alphabet. This backdoor has to be present in the same directory as the dll, with a “.tmp” file extension. The backdoor script is then executed using the IActiveScript and IActiveScriptParse32 COM interfaces.

Names

Name
SeDLL

Type

Loader

Information

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll

Other Information

Uuid

caedd5d3-ee3f-4114-bc90-68648be98917

Last Card Change

2021-04-24

Threat Intelligence Garden

Explorer

SeDLL

SeDLL

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks