| URL: | https://cdn.gingersoftware.com/downloads/tinyinstaller/a/Ginger.exe |
| Full analysis: | https://app.any.run/tasks/5b5f4f4c-0a03-4802-a5a0-5be40c5dd028 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 22, 2020, 03:57:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 2C53DE2CE3724029FD39C464EF780C8F |
| SHA1: | 7CC7126CBB74946A972D053335FF5BAC5C398FFA |
| SHA256: | 5CEB7AB3668BF3B3955A9B0D12B4034A407FC8B5B7C46A2ED3EC3E4CC2831803 |
| SSDEEP: | 3:N8cXLDB0BxKXKqoNiJOXKE5MX0dA:2cXLD/aqkqOXfSZ |
MALICIOUS
Application was dropped or rewritten from another process
- Ginger.exe (PID: 3972)
- Ginger.exe (PID: 3960)
- office.exe (PID: 3228)
- GingerUpdateService.exe (PID: 3452)
- GingerServices.exe (PID: 3292)
- GingerClient.exe (PID: 2740)
- GingerUpdateService.exe (PID: 3852)
- GingerClient.exe (PID: 3108)
- GingerServices.exe (PID: 1328)
Loads dropped or rewritten executable
- office.exe (PID: 3228)
- regsvr32.exe (PID: 3512)
- regsvr32.exe (PID: 2628)
- GingerUpdateService.exe (PID: 3452)
- GingerUpdateService.exe (PID: 3852)
Writes to a start menu file
- msiexec.exe (PID: 2784)
Downloads executable files from the Internet
- Ginger.exe (PID: 3972)
Registers / Runs the DLL via REGSVR32.EXE
- office.exe (PID: 3228)
Changes settings of System certificates
- Ginger.exe (PID: 3972)
SUSPICIOUS
Executable content was dropped or overwritten
- chrome.exe (PID: 3364)
- chrome.exe (PID: 3748)
- Ginger.exe (PID: 3972)
- office.exe (PID: 3228)
- MsiExec.exe (PID: 1740)
- msiexec.exe (PID: 2784)
Reads Internet Cache Settings
- Ginger.exe (PID: 3972)
- Ginger.exe (PID: 3960)
- office.exe (PID: 3228)
- GingerServices.exe (PID: 1328)
- GingerClient.exe (PID: 3108)
Reads internet explorer settings
- Ginger.exe (PID: 3972)
- GingerServices.exe (PID: 1328)
- GingerClient.exe (PID: 3108)
Creates files in the user directory
- Ginger.exe (PID: 3972)
- GingerClient.exe (PID: 3108)
- GingerServices.exe (PID: 1328)
Application launched itself
- Ginger.exe (PID: 3960)
Executed as Windows Service
- vssvc.exe (PID: 2656)
- GingerUpdateService.exe (PID: 3852)
Searches for installed software
- office.exe (PID: 3228)
Creates files in the program directory
- office.exe (PID: 3228)
- GingerUpdateService.exe (PID: 3852)
- GingerClient.exe (PID: 2740)
- GingerServices.exe (PID: 1328)
- GingerClient.exe (PID: 3108)
Creates a software uninstall entry
- office.exe (PID: 3228)
Creates COM task schedule object
- regsvr32.exe (PID: 3512)
- regsvr32.exe (PID: 2628)
Executed via COM
- GingerServices.exe (PID: 1328)
Creates files in the Windows directory
- msiexec.exe (PID: 2784)
Adds / modifies Windows certificates
- Ginger.exe (PID: 3972)
INFO
Reads the hosts file
- chrome.exe (PID: 3364)
- chrome.exe (PID: 3748)
Application launched itself
- chrome.exe (PID: 3364)
- msiexec.exe (PID: 2784)
Reads Internet Cache Settings
- chrome.exe (PID: 3364)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2656)
Loads dropped or rewritten executable
- MsiExec.exe (PID: 1740)
- MsiExec.exe (PID: 3328)
Creates files in the program directory
- msiexec.exe (PID: 2784)
Creates a software uninstall entry
- msiexec.exe (PID: 2784)
Reads settings of System Certificates
- Ginger.exe (PID: 3972)
- chrome.exe (PID: 3748)
- GingerServices.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
70
Monitored processes
29
Malicious processes
6
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 676 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1004,17345928665436654335,2427945480675629373,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7894264737578978669 --mojo-platform-channel-handle=1020 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 680 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1004,17345928665436654335,2427945480675629373,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7988269613872025296 --mojo-platform-channel-handle=500 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1328 | "C:\Program Files\Ginger\GingerServices\GingerServices.exe" -Embedding | C:\Program Files\Ginger\GingerServices\GingerServices.exe | svchost.exe | ||||||||||||
User: admin Company: Ginger Software Integrity Level: MEDIUM Description: Ginger Exit code: 0 Version: 3.7.227 Modules
| |||||||||||||||
| 1740 | C:\Windows\system32\MsiExec.exe -Embedding 299FA3FC63A4DCDCD7321CE022405C18 C | C:\Windows\system32\MsiExec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1852 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1004,17345928665436654335,2427945480675629373,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6020422522624108279 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1920 | regsvr32 /s "C:\Program Files\Ginger\"\secman.dll | C:\Windows\system32\regsvr32.exe | — | office.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2544 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1004,17345928665436654335,2427945480675629373,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6050900669899155341 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 2628 | regsvr32 /s "C:\Program Files\Ginger\GingerWordAddin\GingerMSWordAddin.dll" | C:\Windows\system32\regsvr32.exe | — | office.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2648 | regsvr32 /s "C:\Program Files\Ginger\"\osmax.ocx | C:\Windows\system32\regsvr32.exe | — | office.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2656 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 126
Read events
2 900
Write events
2 211
Delete events
15
Modification events
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 3364-13232001446810500 |
Value: 259 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 3120-13213713943555664 |
Value: 0 | |||
| (PID) Process: | (3364) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 3364-13232001446810500 |
Value: 259 | |||
Executable files
34
Suspicious files
32
Text files
376
Unknown types
63
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5E9FC0A7-D24.pma | — | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a2702054-3a8c-415c-b0b7-75541ac44d26.tmp | — | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp | — | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFa6d1ee.TMP | text | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | text | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFa6d1ee.TMP | text | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3364 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RFa6d356.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
100
TCP/UDP connections
80
DNS requests
26
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3972 | Ginger.exe | GET | — | 13.225.87.129:80 | http://downloads.gingersoftware.com/TinyInstaller/manifest.xml | US | — | — | whitelisted |
3972 | Ginger.exe | GET | 200 | 13.225.87.129:80 | http://downloads.gingersoftware.com/TinyInstaller/manifest.xml | US | xml | 106 Kb | whitelisted |
3972 | Ginger.exe | GET | 200 | 143.204.89.100:80 | http://cdn.gingersoftware.com/TinyInstaller/installer/images/logo.png | US | image | 6.27 Kb | whitelisted |
3960 | Ginger.exe | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/gsalphasha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSE1Wv4CYvTB7dm2OHrrWWWqmtnYQQU9c3VPAhQ%2BWpPOreX2laD5mnSaPcCDBdFbsuE7JHBiV4j6Q%3D%3D | US | der | 1.49 Kb | whitelisted |
3960 | Ginger.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx | US | der | 1.49 Kb | whitelisted |
3972 | Ginger.exe | GET | 200 | 143.204.89.100:80 | http://cdn.gingersoftware.com/TinyInstaller/installer/style.css | US | text | 1.65 Kb | whitelisted |
3972 | Ginger.exe | GET | 200 | 143.204.89.100:80 | http://cdn.gingersoftware.com/TinyInstaller/installer/tinyStart.html | US | html | 533 b | whitelisted |
3972 | Ginger.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDzc5EE8o4wJQgAAAAAN5Er | US | der | 472 b | whitelisted |
3972 | Ginger.exe | GET | 200 | 143.204.89.100:80 | http://cdn.gingersoftware.com/TinyInstaller/installer/fonts/lvnm.eot | US | eot | 55.7 Kb | whitelisted |
3972 | Ginger.exe | GET | 200 | 143.204.89.100:80 | http://cdn.gingersoftware.com/TinyInstaller/installer/images/bg-hor.png | US | image | 55.0 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3960 | Ginger.exe | 104.18.21.226:80 | ocsp.globalsign.com | Cloudflare Inc | US | shared |
3972 | Ginger.exe | 95.183.2.17:443 | splunkci.gingersoftware.com | Xglobe Online LTD | US | unknown |
3748 | chrome.exe | 143.204.89.28:443 | cdn.gingersoftware.com | — | US | suspicious |
3748 | chrome.exe | 172.217.23.163:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3748 | chrome.exe | 216.58.207.36:443 | www.google.com | Google Inc. | US | whitelisted |
3748 | chrome.exe | 216.58.207.46:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
3972 | Ginger.exe | 172.217.16.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3228 | office.exe | 95.183.2.30:80 | tr.gingersoftware.com | Xglobe Online LTD | US | unknown |
3228 | office.exe | 95.183.2.17:443 | splunkci.gingersoftware.com | Xglobe Online LTD | US | unknown |
3748 | chrome.exe | 216.58.210.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
cdn.gingersoftware.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| malicious |
sb-ssl.google.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
tr.gingersoftware.com |
| unknown |
splunkci.gingersoftware.com |
| unknown |
ocsp.globalsign.com |
| whitelisted |
downloads.gingersoftware.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3972 | Ginger.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3972 | Ginger.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3108 | GingerClient.exe | Potential Corporate Privacy Violation | ET POLICY Outdated Flash Version M1 |
Process | Message |
|---|---|
Ginger.exe | 20200422-045750.027 3.7.227 TID:03824 C E main.cpp,L#214 InitTrace(): <**************************************** START ****************************************>
|
Ginger.exe | 20200422-045750.027 3.7.227 TID:03824 C E main.cpp,L#74 IsProcessHasAdminPreveliges(): Elevation Type: 3
|
Ginger.exe | 20200422-045751.074 3.7.227 TID:01504 C E main.cpp,L#74 IsProcessHasAdminPreveliges(): Elevation Type: 2
|
Ginger.exe | 20200422-045751.074 3.7.227 TID:01504 C E main.cpp,L#214 InitTrace(): <**************************************** START ****************************************>
|
Ginger.exe | 20200422-045751.637 3.7.227 TID:01492 C E InstallApp.cpp,L#255 CInstalledApp::DetectBrowsers(): Safari detection status [0]
|
Ginger.exe | 20200422-045751.637 3.7.227 TID:01492 C E InstallApp.cpp,L#218 CInstalledApp::DetectBrowsers(): Firefox detection status [1]
|
Ginger.exe | 20200422-045751.637 3.7.227 TID:01492 C E InstallApp.cpp,L#197 CInstalledApp::DetectBrowsers(): Chrome detection status [1]
|
Ginger.exe | 20200422-045751.637 3.7.227 TID:01492 C E InstallApp.cpp,L#277 CInstalledApp::DetectBrowsers(): Default browser detection status [1][IEXPLORE.EXE]
|
Ginger.exe | 20200422-045751.637 3.7.227 TID:01492 C E InstallApp.cpp,L#237 CInstalledApp::DetectBrowsers(): Iexplore detection status [1]
|
Ginger.exe | 20200422-045751.637 3.7.227 TID:01492 C E InstallApp.cpp,L#337 CInstalledApp::DetectMSOffice(): Office x64 [0] Affiliate[A]
|