SYMBOLCOMMON_NAMEaka. SYNONYMS
win.play (Back to overview)

PLAY

aka: PlayCrypt
VTCollection    

According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".PLAY" extension. For example, a file titled "1.jpg" appeared as "1.jpg.PLAY", "2.png" as "2.png.PLAY", etc. Once the encryption process was completed, PLAY created a text file named "ReadMe.txt" on the desktop.

References
2023-11-21adluminadlumin
PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers
PLAY
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-07-21TrendmicroTrend Micro Research
Ransomware Spotlight: Play
PLAY
2023-04-19Bleeping ComputerBill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-19SymantecThreat Hunter Team
Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-01-04Bleeping ComputerSergiu Gatlan
Rackspace confirms Play ransomware was behind recent cyberattack
PLAY
2023-01-04AvertiumAvertium
An In-Depth Look at PLAY Ransomware
PLAY
2022-12-28Orange CyberdefenseOrange CyberSOC
PLAYing the game
PLAY
2022-12-22FortinetJames Slaughter, Shunichi Imano
Ransomware Roundup – Play Ransomware
PLAY
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-06Trend MicroDon Ovid Ladores, Ian Kenefick, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Janus Agcaoili, Lucas Silva, Paul Pajares, Scott Burden
Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
PLAY
2022-09-03Chuongdong blogChuong Dong
PLAY Ransomware
PLAY
Yara Rules
[TLP:WHITE] win_play_auto (20230808 | Detects win.play.)
rule win_play_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.play."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb78d82feffff 2bc8 899570ffffff 014d84 }
            // n = 4, score = 100
            //   0fb78d82feffff       | movzx               ecx, word ptr [ebp - 0x17e]
            //   2bc8                 | sub                 ecx, eax
            //   899570ffffff         | mov                 dword ptr [ebp - 0x90], edx
            //   014d84               | add                 dword ptr [ebp - 0x7c], ecx

        $sequence_1 = { 02c1 c645c5ae 8845c3 b937030000 888556ffffff 8a45c7 c6852fffffff00 }
            // n = 7, score = 100
            //   02c1                 | add                 al, cl
            //   c645c5ae             | mov                 byte ptr [ebp - 0x3b], 0xae
            //   8845c3               | mov                 byte ptr [ebp - 0x3d], al
            //   b937030000           | mov                 ecx, 0x337
            //   888556ffffff         | mov                 byte ptr [ebp - 0xaa], al
            //   8a45c7               | mov                 al, byte ptr [ebp - 0x39]
            //   c6852fffffff00       | mov                 byte ptr [ebp - 0xd1], 0

        $sequence_2 = { 8bd8 899d88fdffff 85db 0f8483040000 8a0b 80f9e9 7409 }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   899d88fdffff         | mov                 dword ptr [ebp - 0x278], ebx
            //   85db                 | test                ebx, ebx
            //   0f8483040000         | je                  0x489
            //   8a0b                 | mov                 cl, byte ptr [ebx]
            //   80f9e9               | cmp                 cl, 0xe9
            //   7409                 | je                  0xb

        $sequence_3 = { c83dad3c d92b e00c 9c 0d05f0657b 4e f30f7e05???????? }
            // n = 7, score = 100
            //   c83dad3c             | enter               -0x52c3, 0x3c
            //   d92b                 | fldcw               word ptr [ebx]
            //   e00c                 | loopne              0xe
            //   9c                   | pushfd              
            //   0d05f0657b           | or                  eax, 0x7b65f005
            //   4e                   | dec                 esi
            //   f30f7e05????????     |                     

        $sequence_4 = { 7f06 81c4ab000000 83c410 e8???????? 66f1 }
            // n = 5, score = 100
            //   7f06                 | jg                  8
            //   81c4ab000000         | add                 esp, 0xab
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   66f1                 | int1                

        $sequence_5 = { a1???????? 8945bc a1???????? 0f11855cffffff 894594 f30f7e05???????? 8b45f8 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   a1????????           |                     
            //   0f11855cffffff       | movups              xmmword ptr [ebp - 0xa4], xmm0
            //   894594               | mov                 dword ptr [ebp - 0x6c], eax
            //   f30f7e05????????     |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_6 = { 91 ae 54 ce 3106 f77cf30f 7e05 }
            // n = 7, score = 100
            //   91                   | xchg                eax, ecx
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   54                   | push                esp
            //   ce                   | into                
            //   3106                 | xor                 dword ptr [esi], eax
            //   f77cf30f             | idiv                dword ptr [ebx + esi*8 + 0xf]
            //   7e05                 | jle                 7

        $sequence_7 = { 8955f4 8b460c 83ec08 8d0488 8945f8 8d45f4 }
            // n = 6, score = 100
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   83ec08               | sub                 esp, 8
            //   8d0488               | lea                 eax, [eax + ecx*4]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_8 = { 898d48fdffff 66898562fdffff 668985e6fcffff 66398d30fdffff 7634 66ff857cfcffff 8d0432 }
            // n = 7, score = 100
            //   898d48fdffff         | mov                 dword ptr [ebp - 0x2b8], ecx
            //   66898562fdffff       | mov                 word ptr [ebp - 0x29e], ax
            //   668985e6fcffff       | mov                 word ptr [ebp - 0x31a], ax
            //   66398d30fdffff       | cmp                 word ptr [ebp - 0x2d0], cx
            //   7634                 | jbe                 0x36
            //   66ff857cfcffff       | inc                 word ptr [ebp - 0x384]
            //   8d0432               | lea                 eax, [edx + esi]

        $sequence_9 = { 88852effffff 8b8548ffffff fec8 8855ad 88854dffffff 8d45e8 6689bd0cfeffff }
            // n = 7, score = 100
            //   88852effffff         | mov                 byte ptr [ebp - 0xd2], al
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   fec8                 | dec                 al
            //   8855ad               | mov                 byte ptr [ebp - 0x53], dl
            //   88854dffffff         | mov                 byte ptr [ebp - 0xb3], al
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   6689bd0cfeffff       | mov                 word ptr [ebp - 0x1f4], di

    condition:
        7 of them and filesize < 389120
}
Download all Yara Rules