SYMBOLCOMMON_NAMEaka. SYNONYMS
win.play (Back to overview)

PLAY

aka: PlayCrypt

According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".PLAY" extension. For example, a file titled "1.jpg" appeared as "1.jpg.PLAY", "2.png" as "2.png.PLAY", etc. Once the encryption process was completed, PLAY created a text file named "ReadMe.txt" on the desktop.

References
2023-04-19Bleeping ComputerBill Toulas
@online{toulas:20230419:march:2c99c12, author = {Bill Toulas}, title = {{March 2023 broke ransomware attack records with 459 incidents}}, date = {2023-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/}, language = {English}, urldate = {2023-04-28} } March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-19SymantecThreat Hunter Team
@online{team:20230419:play:01359b7, author = {Threat Hunter Team}, title = {{Play Ransomware Group Using New Custom Data-Gathering Tools}}, date = {2023-04-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy}, language = {English}, urldate = {2023-04-22} } Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20230310:from:6bceb30, author = {Jason Reaves and Joshua Platt}, title = {{From Royal With Love}}, date = {2023-03-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65}, language = {English}, urldate = {2023-03-13} } From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-01-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20230104:rackspace:217fd72, author = {Sergiu Gatlan}, title = {{Rackspace confirms Play ransomware was behind recent cyberattack}}, date = {2023-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/}, language = {English}, urldate = {2023-01-05} } Rackspace confirms Play ransomware was behind recent cyberattack
PLAY
2023-01-04AvertiumAvertium
@online{avertium:20230104:indepth:5233ed0, author = {Avertium}, title = {{An In-Depth Look at PLAY Ransomware}}, date = {2023-01-04}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware}, language = {English}, urldate = {2023-01-05} } An In-Depth Look at PLAY Ransomware
PLAY
2022-12-28Orange CyberdefenseOrange CyberSOC
@online{cybersoc:20221228:playing:8fd27e8, author = {Orange CyberSOC}, title = {{PLAYing the game}}, date = {2022-12-28}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/playing-the-game}, language = {English}, urldate = {2023-01-05} } PLAYing the game
PLAY
2022-12-22FortinetShunichi Imano, James Slaughter
@online{imano:20221222:ransomware:87594cb, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup – Play Ransomware}}, date = {2022-12-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware}, language = {English}, urldate = {2022-12-24} } Ransomware Roundup – Play Ransomware
PLAY
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
@online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-06Trend MicroDon Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
@online{ladores:20220906:play:9f034be, author = {Don Ovid Ladores and Lucas Silva and Scott Burden and Janus Agcaoili and Ivan Nicole Chavez and Ian Kenefick and Ieriz Nicolle Gonzalez and Paul Pajares}, title = {{Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa}}, date = {2022-09-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html}, language = {English}, urldate = {2022-09-07} } Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
PLAY
2022-09-03Chuongdong blogChuong Dong
@online{dong:20220903:play:7d47c79, author = {Chuong Dong}, title = {{PLAY Ransomware}}, date = {2022-09-03}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/}, language = {English}, urldate = {2022-09-07} } PLAY Ransomware
PLAY
Yara Rules
[TLP:WHITE] win_play_auto (20230407 | Detects win.play.)
rule win_play_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.play."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6689850effffff e8???????? 8b4d88 83c40c 8b8528ffffff 83c304 68feff0000 }
            // n = 7, score = 100
            //   6689850effffff       | mov                 word ptr [ebp - 0xf2], ax
            //   e8????????           |                     
            //   8b4d88               | mov                 ecx, dword ptr [ebp - 0x78]
            //   83c40c               | add                 esp, 0xc
            //   8b8528ffffff         | mov                 eax, dword ptr [ebp - 0xd8]
            //   83c304               | add                 ebx, 4
            //   68feff0000           | push                0xfffe

        $sequence_1 = { 8945fc 53 56 57 898dc8fbffff 83ec04 }
            // n = 6, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   898dc8fbffff         | mov                 dword ptr [ebp - 0x438], ecx
            //   83ec04               | sub                 esp, 4

        $sequence_2 = { 2bca d1f9 66837c4bfe5c 7507 33c0 6689444bfe 83ec0c }
            // n = 7, score = 100
            //   2bca                 | sub                 ecx, edx
            //   d1f9                 | sar                 ecx, 1
            //   66837c4bfe5c         | cmp                 word ptr [ebx + ecx*2 - 2], 0x5c
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   6689444bfe           | mov                 word ptr [ebx + ecx*2 - 2], ax
            //   83ec0c               | sub                 esp, 0xc

        $sequence_3 = { 83c420 8b9530ffffff 02ca 884db9 8b8dfcfeffff 66018d9afeffff }
            // n = 6, score = 100
            //   83c420               | add                 esp, 0x20
            //   8b9530ffffff         | mov                 edx, dword ptr [ebp - 0xd0]
            //   02ca                 | add                 cl, dl
            //   884db9               | mov                 byte ptr [ebp - 0x47], cl
            //   8b8dfcfeffff         | mov                 ecx, dword ptr [ebp - 0x104]
            //   66018d9afeffff       | add                 word ptr [ebp - 0x166], cx

        $sequence_4 = { 03f0 8d4101 0fb3c3 eb1a 668b4dc2 }
            // n = 5, score = 100
            //   03f0                 | add                 esi, eax
            //   8d4101               | lea                 eax, [ecx + 1]
            //   0fb3c3               | btr                 ebx, eax
            //   eb1a                 | jmp                 0x1c
            //   668b4dc2             | mov                 cx, word ptr [ebp - 0x3e]

        $sequence_5 = { 0fb6d0 33f6 8b85d4fdffff 0fb7c0 03d0 c785b0fdffffb563485f 8a8590feffff }
            // n = 7, score = 100
            //   0fb6d0               | movzx               edx, al
            //   33f6                 | xor                 esi, esi
            //   8b85d4fdffff         | mov                 eax, dword ptr [ebp - 0x22c]
            //   0fb7c0               | movzx               eax, ax
            //   03d0                 | add                 edx, eax
            //   c785b0fdffffb563485f     | mov    dword ptr [ebp - 0x250], 0x5f4863b5
            //   8a8590feffff         | mov                 al, byte ptr [ebp - 0x170]

        $sequence_6 = { 03f7 2bc7 8bce 83e805 6a01 8985a0fdffff e8???????? }
            // n = 7, score = 100
            //   03f7                 | add                 esi, edi
            //   2bc7                 | sub                 eax, edi
            //   8bce                 | mov                 ecx, esi
            //   83e805               | sub                 eax, 5
            //   6a01                 | push                1
            //   8985a0fdffff         | mov                 dword ptr [ebp - 0x260], eax
            //   e8????????           |                     

        $sequence_7 = { 750a e8???????? e9???????? 8b4dfc 33c0 5f 5e }
            // n = 7, score = 100
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_8 = { 40 80c101 6689b544fdffff 3dc8420000 72eb 0fb7c3 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   80c101               | add                 cl, 1
            //   6689b544fdffff       | mov                 word ptr [ebp - 0x2bc], si
            //   3dc8420000           | cmp                 eax, 0x42c8
            //   72eb                 | jb                  0xffffffed
            //   0fb7c3               | movzx               eax, bx

        $sequence_9 = { e8???????? 8a458f b9fcff0000 66018d74ffffff 83c40c c0e004 66837d802e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8a458f               | mov                 al, byte ptr [ebp - 0x71]
            //   b9fcff0000           | mov                 ecx, 0xfffc
            //   66018d74ffffff       | add                 word ptr [ebp - 0x8c], cx
            //   83c40c               | add                 esp, 0xc
            //   c0e004               | shl                 al, 4
            //   66837d802e           | cmp                 word ptr [ebp - 0x80], 0x2e

    condition:
        7 of them and filesize < 389120
}
Download all Yara Rules