SYMBOLCOMMON_NAMEaka. SYNONYMS
win.play (Back to overview)

PLAY

aka: PlayCrypt

Ransomware

References
2023-01-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20230104:rackspace:217fd72, author = {Sergiu Gatlan}, title = {{Rackspace confirms Play ransomware was behind recent cyberattack}}, date = {2023-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/}, language = {English}, urldate = {2023-01-05} } Rackspace confirms Play ransomware was behind recent cyberattack
PLAY
2023-01-04AvertiumAvertium
@online{avertium:20230104:indepth:5233ed0, author = {Avertium}, title = {{An In-Depth Look at PLAY Ransomware}}, date = {2023-01-04}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware}, language = {English}, urldate = {2023-01-05} } An In-Depth Look at PLAY Ransomware
PLAY
2022-12-28Orange CyberdefenseOrange CyberSOC
@online{cybersoc:20221228:playing:8fd27e8, author = {Orange CyberSOC}, title = {{PLAYing the game}}, date = {2022-12-28}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/playing-the-game}, language = {English}, urldate = {2023-01-05} } PLAYing the game
PLAY
2022-12-22FortinetShunichi Imano, James Slaughter
@online{imano:20221222:ransomware:87594cb, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup – Play Ransomware}}, date = {2022-12-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware}, language = {English}, urldate = {2022-12-24} } Ransomware Roundup – Play Ransomware
PLAY
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
@online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-06Trend MicroDon Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
@online{ladores:20220906:play:9f034be, author = {Don Ovid Ladores and Lucas Silva and Scott Burden and Janus Agcaoili and Ivan Nicole Chavez and Ian Kenefick and Ieriz Nicolle Gonzalez and Paul Pajares}, title = {{Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa}}, date = {2022-09-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html}, language = {English}, urldate = {2022-09-07} } Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
PLAY
2022-09-03Chuongdong blogChuong Dong
@online{dong:20220903:play:7d47c79, author = {Chuong Dong}, title = {{PLAY Ransomware}}, date = {2022-09-03}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/}, language = {English}, urldate = {2022-09-07} } PLAY Ransomware
PLAY
Yara Rules
[TLP:WHITE] win_play_auto (20230125 | Detects win.play.)
rule win_play_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.play."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8845c5 8845b0 8d45d4 50 8d45dc 50 }
            // n = 6, score = 100
            //   8845c5               | mov                 byte ptr [ebp - 0x3b], al
            //   8845b0               | mov                 byte ptr [ebp - 0x50], al
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax

        $sequence_1 = { 48 6a01 03f8 e8???????? 83c404 807db100 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   6a01                 | push                1
            //   03f8                 | add                 edi, eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   807db100             | cmp                 byte ptr [ebp - 0x4f], 0

        $sequence_2 = { 0fb6c9 0fafc8 884d90 e9???????? 8b4dc8 8d45d4 }
            // n = 6, score = 100
            //   0fb6c9               | movzx               ecx, cl
            //   0fafc8               | imul                ecx, eax
            //   884d90               | mov                 byte ptr [ebp - 0x70], cl
            //   e9????????           |                     
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]

        $sequence_3 = { 8bf8 66c7857cffffffa678 52 b883180000 c6857effffff00 6603c8 c7852cffffff995587cf }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   66c7857cffffffa678     | mov    word ptr [ebp - 0x84], 0x78a6
            //   52                   | push                edx
            //   b883180000           | mov                 eax, 0x1883
            //   c6857effffff00       | mov                 byte ptr [ebp - 0x82], 0
            //   6603c8               | add                 cx, ax
            //   c7852cffffff995587cf     | mov    dword ptr [ebp - 0xd4], 0xcf875599

        $sequence_4 = { 0fb68d4cfdffff 81f9d6000000 7625 81c12affffff 660f1f840000000000 69856cfcffff3c210000 }
            // n = 6, score = 100
            //   0fb68d4cfdffff       | movzx               ecx, byte ptr [ebp - 0x2b4]
            //   81f9d6000000         | cmp                 ecx, 0xd6
            //   7625                 | jbe                 0x27
            //   81c12affffff         | add                 ecx, 0xffffff2a
            //   660f1f840000000000     | nop    word ptr [eax + eax]
            //   69856cfcffff3c210000     | imul    eax, dword ptr [ebp - 0x394], 0x213c

        $sequence_5 = { 894df8 83ec0c 66bb3439 6681fb0275 7506 81c4d8010000 83c40c }
            // n = 7, score = 100
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   83ec0c               | sub                 esp, 0xc
            //   66bb3439             | mov                 bx, 0x3934
            //   6681fb0275           | cmp                 bx, 0x7502
            //   7506                 | jne                 8
            //   81c4d8010000         | add                 esp, 0x1d8
            //   83c40c               | add                 esp, 0xc

        $sequence_6 = { 75eb b9???????? e8???????? 8b9588feffff b93d000000 85d2 7272 }
            // n = 7, score = 100
            //   75eb                 | jne                 0xffffffed
            //   b9????????           |                     
            //   e8????????           |                     
            //   8b9588feffff         | mov                 edx, dword ptr [ebp - 0x178]
            //   b93d000000           | mov                 ecx, 0x3d
            //   85d2                 | test                edx, edx
            //   7272                 | jb                  0x74

        $sequence_7 = { 56 57 8b7d08 e9???????? 8b1f 8d049d88d44200 8b30 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   e9????????           |                     
            //   8b1f                 | mov                 ebx, dword ptr [edi]
            //   8d049d88d44200       | lea                 eax, [ebx*4 + 0x42d488]
            //   8b30                 | mov                 esi, dword ptr [eax]

        $sequence_8 = { 8d4df7 83c404 03c6 8985a0fdffff 6a04 e8???????? 83c404 }
            // n = 7, score = 100
            //   8d4df7               | lea                 ecx, [ebp - 9]
            //   83c404               | add                 esp, 4
            //   03c6                 | add                 eax, esi
            //   8985a0fdffff         | mov                 dword ptr [ebp - 0x260], eax
            //   6a04                 | push                4
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_9 = { 53 ffd0 8bf0 89b510fcffff 83feff 7513 0bc0 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax
            //   89b510fcffff         | mov                 dword ptr [ebp - 0x3f0], esi
            //   83feff               | cmp                 esi, -1
            //   7513                 | jne                 0x15
            //   0bc0                 | or                  eax, eax

    condition:
        7 of them and filesize < 389120
}
Download all Yara Rules