MUMU emulator is a Trojan horse Malicious
MUMU emulator is a Trojan horse Malicious
Trojan.Shlem.ea
In fact, it’s a very impressive program in terms of performance, and it’s free.
I used it, but wondered why it’s free.
I then did some research, using virustotal and some other sites.
I did a lot of research.
I found that the program is malicious and uses hidden methods to steal information, making it difficult to detect.
I followed the graphics and the process from the beginning and found:
A Network Trojan was detected
Potential Corporate Privacy Violation
Detects a driver load from a temporary directory
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
Detect the creation of a service with a service binary located in a suspicious directory
Trojan.Shlem.ea
NemuDownloader.exe
HyperVChecker.exe
Matches rule Driver Load From A Temporary Directory by Florian Roth (Nextron Systems) at Sigma Integrated Rule Set (GitHub) Detects a driver load from a temporary directory atches rule Vulnerable WinRing0 Driver Load by Florian Roth (Nextron Systems) at Sigma Integrated Rule Set (GitHub) Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation Matches rule Service Binary in Suspicious Folder by Florian Roth (Nextron Systems), frack113 at Sigma Integrated Rule Set (GitHub) Detect the creation of a service with a service binary located in a suspicious directory
Service Binary in Suspicious Folder Detect the creation of a service with a service binary located in a suspicious directory Sigma Integrated Rule Set (GitHub) – Florian Roth (Nextron Systems), frack113 Context for the matching events RuleName:T1031,T1050 EventID:13 EventType:SetValue Image:C:\Windows\system32\services.exe Details:\??\C:\Users\azure\AppData\Local\Temp\7z3B62181C\WinRing0x64.sys TargetObject:HKLM\System\CurrentControlSet\services\WinRing0_1_2_0\ImagePath EventID:13 EventType:SetValue Image:C:\Windows\system32\services.exe Details:\??\C:\Users\Bruno\AppData\Local\Temp\7z147AFBD0\WinRing0x64.sys TargetObject:HKLM\System\CurrentControlSet\Services\WinRing0_1_2_0\ImagePath EventID:13 Details:\??\%USERPROFILE%\AppData\Local\Temp\7z0DED2370\WinRing0x64.sys EventType:SetValue TargetObject:HKLM\System\CurrentControlSet\Services\WinRing0_1_2_0\ImagePath
title: Driver Load From A Temporary Directory
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
status: test
description: Detects a driver load from a temporary directory
references:
– Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-02-12
modified: 2021-11-27
tags:
– attack.persistence
– attack.privilege-escalation
– attack.t1543.003
logsource:
category: driver_load
product: windows
detection:
selection:
ImageLoaded|contains: ‘Temp’
condition: selection
falsepositives:
– There is a relevant set of false positives depending on applications in the environment
level: high
bidevazomu.com
9C10.tmp
biggestblazer.com
full report https://app.any.run/tasks/dd4f9986-90d6-4b1f-9287-72543e5518d6
source website info :
