File name:

fonedog-android-toolkit.exe

Full analysis: https://app.any.run/tasks/b266ac9c-d4f5-4111-9eaf-ea809601dcda
Verdict: Malicious activity
Analysis date: January 19, 2024, 05:20:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0C63EC8011864E6DE3E099AE00BBA12F

SHA1:

A63FAF5AE0B26D405B8645425C04B8EE49A20C42

SHA256:

533EDF07EE3C198AAD36C90DBC14371D4DCFC66733AB552C5EBCCEE7AFCE44D7

SSDEEP:

49152:n9YodxnjocM/xGq9jdKB5QhbkLHobYtGQKG2avPLgrBKIwU3Ev4NfW5JS/JH/4b3:OgjoxxG+4WKrAYtGQ/2u8KIK4Nfs0Rwz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • fonedog-android-toolkit.exe (PID: 2416)
      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.exe (PID: 1264)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • fonedog-android-toolkit.exe (PID: 2416)
      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.exe (PID: 1264)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Reads the Windows owner or organization settings

      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Drops a system driver (possible attempt to evade defenses)

      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Process drops SQLite DLL files

      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Process drops legitimate windows executable

      • fonedog-android-toolkit-32.tmp (PID: 1112)

  • INFO

    • Checks supported languages

      • fonedog-android-toolkit.exe (PID: 2416)
      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.exe (PID: 1264)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Create files in a temporary directory

      • fonedog-android-toolkit.exe (PID: 2416)
      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.exe (PID: 1264)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Reads the computer name

      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Creates files in the program directory

      • fonedog-android-toolkit.tmp (PID: 1392)
      • fonedog-android-toolkit-32.tmp (PID: 1112)

    • Dropped object may contain TOR URL's

      • fonedog-android-toolkit-32.tmp (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (57)
.exe | Win32 Executable Delphi generic (19.4)
.dll | Win32 Dynamic Link Library (generic) (9)
.exe | Win32 Executable (generic) (6.1)
.exe | Win16/32 Executable Delphi generic (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:01:09 10:57:06+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 93696
InitializedDataSize: 72192
UninitializedDataSize: -
EntryPoint: 0x177f4
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.1.20.0
ProductVersionNumber: 2.1.20.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription:
FileVersion: 2.1.20
LegalCopyright:
ProductName:
ProductVersion: 2.1.20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fonedog-android-toolkit.exe fonedog-android-toolkit.tmp fonedog-android-toolkit-32.exe fonedog-android-toolkit-32.tmp fonedog-android-toolkit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\fonedog-android-toolkit.exe" C:\Users\admin\AppData\Local\Temp\fonedog-android-toolkit.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
2.1.20
Modules
Images
c:\users\admin\appdata\local\temp\fonedog-android-toolkit.exe
c:\windows\system32\ntdll.dll
1112"C:\Users\admin\AppData\Local\Temp\is-70CPQ.tmp\fonedog-android-toolkit-32.tmp" /SL5="$401A6,67004205,560128,C:\Users\admin\AppData\Local\Temp\FoneDog\FoneDog Toolkit for Android\fonedog-android-toolkit-32.exe" /user:administrator /sp- /VerySilent /LANG=us /TASKS="forallusers,desktopicon,quicklaunchicon,ceip" /DIR="C:\Program Files\FoneDog\FoneDog Toolkit - Android Data Recovery"C:\Users\admin\AppData\Local\Temp\is-70CPQ.tmp\fonedog-android-toolkit-32.tmp
fonedog-android-toolkit-32.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-70cpq.tmp\fonedog-android-toolkit-32.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1264"C:\Users\admin\AppData\Local\Temp\FoneDog\FoneDog Toolkit for Android\fonedog-android-toolkit-32.exe" /user:administrator /sp- /VerySilent /LANG=us /TASKS="forallusers,desktopicon,quicklaunchicon,ceip" /DIR="C:\Program Files\FoneDog\FoneDog Toolkit - Android Data Recovery"C:\Users\admin\AppData\Local\Temp\FoneDog\FoneDog Toolkit for Android\fonedog-android-toolkit-32.exe
fonedog-android-toolkit.tmp
User:
admin
Company:
FoneDog
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
2.1.18
Modules
Images
c:\users\admin\appdata\local\temp\fonedog\fonedog toolkit for android\fonedog-android-toolkit-32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1392"C:\Users\admin\AppData\Local\Temp\is-FQEAS.tmp\fonedog-android-toolkit.tmp" /SL5="$401AA,1195237,166912,C:\Users\admin\AppData\Local\Temp\fonedog-android-toolkit.exe" C:\Users\admin\AppData\Local\Temp\is-FQEAS.tmp\fonedog-android-toolkit.tmp
fonedog-android-toolkit.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-fqeas.tmp\fonedog-android-toolkit.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2416"C:\Users\admin\AppData\Local\Temp\fonedog-android-toolkit.exe" C:\Users\admin\AppData\Local\Temp\fonedog-android-toolkit.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
2.1.20
Modules
Images
c:\users\admin\appdata\local\temp\fonedog-android-toolkit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
634
Read events
634
Write events
0
Delete events
0

Modification events

No data
Executable files
189
Suspicious files
74
Text files
150
Unknown types
0

Dropped files

PID
Process
Filename
Type
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\MessageBox.xmlxml
MD5:13E5376EF4E83858A74D87F28F100437
SHA256:7FB17F2D7DFC51FA2539BCFD0BB38760D49411B7FA7F4E40B74A096BACB4C591
2416fonedog-android-toolkit.exeC:\Users\admin\AppData\Local\Temp\is-FQEAS.tmp\fonedog-android-toolkit.tmpexecutable
MD5:E84FE8FEEEF8699F43C90AE9F28F61DF
SHA256:0273704B3AAE5EADBB85565DEFDC8848BEF98B1BD4FD46AFC041F1E244D7BC77
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\MessageBox_pt.xmlxml
MD5:C945C18126B86194600AA3E539741E85
SHA256:7A9FC52FFE29F02DA9FC26C4DACBBBB267EF82C3693E3CAA4043422321FCDFC5
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\skin_ja.xmlxml
MD5:9A4DC84FD80C8F426BD08F0FCBF26ECA
SHA256:925F6C515403EB127ACD887A93DD1E0511313DD4CB206A2DF8EDB88CC6486274
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\affiliate_special.xmlxml
MD5:25375EE033F21800A404AF941434D873
SHA256:7AC099EDB6A7687556EE9F49A96C25CFEB92624B0A7886AC314D5EA76EE4800F
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\affiliate_special_download.xmlxml
MD5:54F85E5BA114208D74FA8C726796FE2E
SHA256:A0E811BCEAF79AFCB930CC12E31A1DCB20818C5BDA40BEA0B297B2987BB8F645
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\MessageBox_de.xmlxml
MD5:24CE8A30BCFFDDDA064A73BF465ADAB2
SHA256:51C3838D25EFD038E80DD10EB8145769EA31E6DB389107C8F091AD6EBA0B90E9
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\affiliate.xmlxml
MD5:FBA9821ACEFB1213E2837DBB641BD156
SHA256:DAFC7FF07DBA7281E07A6578641EDE47C3E5C7A20731A0BFF06293D01D4EB8AF
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\MessageBox_es.xmlxml
MD5:E1C66B6CB81959E67CC39A7AFA58AE68
SHA256:240BA7AC3435CDA0F55E6EF017DA02F43664A6C622F576CD473ED7C25186DCC6
1392fonedog-android-toolkit.tmpC:\Users\admin\AppData\Local\Temp\is-1VNTI.tmp\MessageBox_ja.xmlxml
MD5:061F98C922E414371314933B4BB8E7EF
SHA256:90FE46BAACCDBE29924630776138DE425FD712ECEE401BD09934B46997AE8675
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1392
fonedog-android-toolkit.tmp
52.222.214.11:443
download.fonedog.com
AMAZON-02
US
unknown
1112
fonedog-android-toolkit-32.tmp
169.62.244.178:443
reg.aokreg.com
SOFTLAYER
US
unknown

DNS requests

Domain
IP
Reputation
download.fonedog.com
  • 52.222.214.11
  • 52.222.214.47
  • 52.222.214.65
  • 52.222.214.68
unknown
reg.aokreg.com
  • 169.62.244.178
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fonedog-android-toolkit.exe