Detailed Technical Analysis Report of Fox Ransomware Detailed Technical Analysis Report of Fox Ransomware
Ransomware,Malware Analysis | 08/06/2018

Detailed Technical Analysis Report of Fox Ransomware

When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

FOX Ransomware Overview

FOXRansom is a part of the ransomware family. This ransomware is currently targeting the Hungary Country, found by the security researcher; it encrypts the victim's machine by using AES Encryption method.

It appends the filename of the affected file by adding .FOX extension in the last. It Only targets the C Drive along with more than 20 file extensions.

This ransomware using Hidden Tear Library which is easily available on GitHub.

This ransomware doesn’t contain any ransom amount information. It drops the ransom note on the desktop. By looking at the code it seems it contains lots of bugs in the code which can be easily rectified by anyone.

Also, Read: Detailed Technical Analysis Report of Spam Campaign Delivers URSNIF Malware

Flow Chart





 Technical Analysis of FOX Ransomware

File Name: ticket.exe

MD5: 457758293DA02BB95B232ECF767246E6

File Type: .EXE

Spread Via:  Not Known Yet.


Detail Description of FOX Ransomware with Screenshots


Static Analysis

This ransomware has minimum requirement Dot Net Framework 4.5

Assembly Information

Figure 1 Assembly Information

As shown below, this ransomware has flag condition which checks whether the file already exists on the given location or not, if the file already exists on the given location, in that case, it throws an exception error of path already exist due to bugs in the code. On execution of this ransomware, it also looks for the ticket.pdf file on the system, if it founds the ticket.pdf file it attempts to launch the ticket.pdf file in pdf application viewer.

Flag Condition

Figure 2 Flag Condition


As shown below, this ransomware gathers the Username, Computer Name and targets the User Directory C:\Users; While the ransomware is running in the background it appends the affected filename with .FOX Extension.

This ransomware using the Hidden Tear Library which is easily available on the GitHub. As shown below this ransomware is using AES Encryption Method to encrypt the files.


AES Encryption

Figure 3 AES Encryption

As shown below, as per the code this ransomware is creating a random password based on predefined string and a fixed length of 15 for encrypting files and move the ransomware to a specific location with .fox extension.

Thereupon, this ransomware starts encrypting the folder based on their specific target directory, extension list, and password.

Create Password

Figure 4 Random Password

As shown below, it targets the C:\Users Directory and also drops the 2 text files (adobe.txt and winsys.txt) at the following location

Fox Original

Figure 5 Static Fixed Values

As shown above, “adobe.txt” contains the following information which is dropped by the ransomware on the user’s machine.

Adobe Content

Figure 6 Adobe Text File Contains Computer name, Username, & Password

As shown below, this ransomware encrypts the files based on the extension list. It has more than 15 file extensions list.

".txt",".doc",".docx",".xls",".xlsx",".ppt",".pptx",".odt",".jpg",".png",".csv",".sql",".mdb",".sln",".php",".asp",".aspx", ".html",".xml",".psd"

It searches an above extension in the target drive and encrypts it.

This ransomware drops READ_IT.txt in C:\users\%username%\Desktop

While opening the READ_IT.txt in notepad it shows the following message, which is written in the Hungarian language.

“Az ön gépe és fájlai zárolva lettek a FoxRansom virus által!”

English Translation: Your machine and files have been locked by FoxRansom virus!

Once the files have encrypted this ransomware it appends the filename by adding .FOX extension in the last.

Fox File Extension

Figure 7 Fox File Extension

By looking at this ransomware code and behavior process it seems that’s it currently in development. Due to currently under development, this ransomware doesn’t delete Volume Shadow Copies from the system nor it deletes the System Restore Point.

Volume Shadow Copy 

Restore Point

Figure 8 Previous Version & Restore Point






Associated File Path:






Also, Read: Detailed Technical Analysis Report of New Macro Technique Delivers Backdoor

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan





× Zoom Image