SYMBOLCOMMON_NAMEaka. SYNONYMS
win.play (Back to overview)

PLAY

aka: PlayCrypt

According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".PLAY" extension. For example, a file titled "1.jpg" appeared as "1.jpg.PLAY", "2.png" as "2.png.PLAY", etc. Once the encryption process was completed, PLAY created a text file named "ReadMe.txt" on the desktop.

References
2023-11-21adluminadlumin
@online{adlumin:20231121:playcrypt:a3455dc, author = {adlumin}, title = {{PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers}}, date = {2023-11-21}, organization = {adlumin}, url = {https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/}, language = {English}, urldate = {2023-11-22} } PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers
PLAY
2023-09-12ANSSIANSSI
@techreport{anssi:20230912:fin12:b0a08e2, author = {ANSSI}, title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}}, date = {2023-09-12}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf}, language = {French}, urldate = {2023-09-20} } FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-07-21TrendmicroTrend Micro Research
@online{research:20230721:ransomware:3c5345e, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Play}}, date = {2023-07-21}, organization = {Trendmicro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play}, language = {English}, urldate = {2023-07-24} } Ransomware Spotlight: Play
PLAY
2023-04-19Bleeping ComputerBill Toulas
@online{toulas:20230419:march:2c99c12, author = {Bill Toulas}, title = {{March 2023 broke ransomware attack records with 459 incidents}}, date = {2023-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/}, language = {English}, urldate = {2023-04-28} } March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-19SymantecThreat Hunter Team
@online{team:20230419:play:01359b7, author = {Threat Hunter Team}, title = {{Play Ransomware Group Using New Custom Data-Gathering Tools}}, date = {2023-04-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy}, language = {English}, urldate = {2023-07-31} } Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20230310:from:6bceb30, author = {Jason Reaves and Joshua Platt}, title = {{From Royal With Love}}, date = {2023-03-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65}, language = {English}, urldate = {2023-03-13} } From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-01-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20230104:rackspace:217fd72, author = {Sergiu Gatlan}, title = {{Rackspace confirms Play ransomware was behind recent cyberattack}}, date = {2023-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/}, language = {English}, urldate = {2023-01-05} } Rackspace confirms Play ransomware was behind recent cyberattack
PLAY
2023-01-04AvertiumAvertium
@online{avertium:20230104:indepth:5233ed0, author = {Avertium}, title = {{An In-Depth Look at PLAY Ransomware}}, date = {2023-01-04}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware}, language = {English}, urldate = {2023-01-05} } An In-Depth Look at PLAY Ransomware
PLAY
2022-12-28Orange CyberdefenseOrange CyberSOC
@online{cybersoc:20221228:playing:8fd27e8, author = {Orange CyberSOC}, title = {{PLAYing the game}}, date = {2022-12-28}, organization = {Orange Cyberdefense}, url = {https://www.orangecyberdefense.com/global/blog/playing-the-game}, language = {English}, urldate = {2023-01-05} } PLAYing the game
PLAY
2022-12-22FortinetShunichi Imano, James Slaughter
@online{imano:20221222:ransomware:87594cb, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup – Play Ransomware}}, date = {2022-12-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware}, language = {English}, urldate = {2022-12-24} } Ransomware Roundup – Play Ransomware
PLAY
2022-09-08Sentinel LABSAleksandar Milenkoski, Jim Walter
@online{milenkoski:20220908:crimeware:9c7be9a, author = {Aleksandar Milenkoski and Jim Walter}, title = {{Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection}}, date = {2022-09-08}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/}, language = {English}, urldate = {2022-09-10} } Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
AgendaCrypt Black Basta BlackCat PLAY
2022-09-06Trend MicroDon Ovid Ladores, Lucas Silva, Scott Burden, Janus Agcaoili, Ivan Nicole Chavez, Ian Kenefick, Ieriz Nicolle Gonzalez, Paul Pajares
@online{ladores:20220906:play:9f034be, author = {Don Ovid Ladores and Lucas Silva and Scott Burden and Janus Agcaoili and Ivan Nicole Chavez and Ian Kenefick and Ieriz Nicolle Gonzalez and Paul Pajares}, title = {{Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa}}, date = {2022-09-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html}, language = {English}, urldate = {2022-09-07} } Play Ransomware's Attack Playbook Similar to that of Hive, Nokoyawa
PLAY
2022-09-03Chuongdong blogChuong Dong
@online{dong:20220903:play:7d47c79, author = {Chuong Dong}, title = {{PLAY Ransomware}}, date = {2022-09-03}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/}, language = {English}, urldate = {2022-09-07} } PLAY Ransomware
PLAY
Yara Rules
[TLP:WHITE] win_play_auto (20230808 | Detects win.play.)
rule win_play_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.play."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb78d82feffff 2bc8 899570ffffff 014d84 }
            // n = 4, score = 100
            //   0fb78d82feffff       | movzx               ecx, word ptr [ebp - 0x17e]
            //   2bc8                 | sub                 ecx, eax
            //   899570ffffff         | mov                 dword ptr [ebp - 0x90], edx
            //   014d84               | add                 dword ptr [ebp - 0x7c], ecx

        $sequence_1 = { 02c1 c645c5ae 8845c3 b937030000 888556ffffff 8a45c7 c6852fffffff00 }
            // n = 7, score = 100
            //   02c1                 | add                 al, cl
            //   c645c5ae             | mov                 byte ptr [ebp - 0x3b], 0xae
            //   8845c3               | mov                 byte ptr [ebp - 0x3d], al
            //   b937030000           | mov                 ecx, 0x337
            //   888556ffffff         | mov                 byte ptr [ebp - 0xaa], al
            //   8a45c7               | mov                 al, byte ptr [ebp - 0x39]
            //   c6852fffffff00       | mov                 byte ptr [ebp - 0xd1], 0

        $sequence_2 = { 8bd8 899d88fdffff 85db 0f8483040000 8a0b 80f9e9 7409 }
            // n = 7, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   899d88fdffff         | mov                 dword ptr [ebp - 0x278], ebx
            //   85db                 | test                ebx, ebx
            //   0f8483040000         | je                  0x489
            //   8a0b                 | mov                 cl, byte ptr [ebx]
            //   80f9e9               | cmp                 cl, 0xe9
            //   7409                 | je                  0xb

        $sequence_3 = { c83dad3c d92b e00c 9c 0d05f0657b 4e f30f7e05???????? }
            // n = 7, score = 100
            //   c83dad3c             | enter               -0x52c3, 0x3c
            //   d92b                 | fldcw               word ptr [ebx]
            //   e00c                 | loopne              0xe
            //   9c                   | pushfd              
            //   0d05f0657b           | or                  eax, 0x7b65f005
            //   4e                   | dec                 esi
            //   f30f7e05????????     |                     

        $sequence_4 = { 7f06 81c4ab000000 83c410 e8???????? 66f1 }
            // n = 5, score = 100
            //   7f06                 | jg                  8
            //   81c4ab000000         | add                 esp, 0xab
            //   83c410               | add                 esp, 0x10
            //   e8????????           |                     
            //   66f1                 | int1                

        $sequence_5 = { a1???????? 8945bc a1???????? 0f11855cffffff 894594 f30f7e05???????? 8b45f8 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   a1????????           |                     
            //   0f11855cffffff       | movups              xmmword ptr [ebp - 0xa4], xmm0
            //   894594               | mov                 dword ptr [ebp - 0x6c], eax
            //   f30f7e05????????     |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_6 = { 91 ae 54 ce 3106 f77cf30f 7e05 }
            // n = 7, score = 100
            //   91                   | xchg                eax, ecx
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   54                   | push                esp
            //   ce                   | into                
            //   3106                 | xor                 dword ptr [esi], eax
            //   f77cf30f             | idiv                dword ptr [ebx + esi*8 + 0xf]
            //   7e05                 | jle                 7

        $sequence_7 = { 8955f4 8b460c 83ec08 8d0488 8945f8 8d45f4 }
            // n = 6, score = 100
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   83ec08               | sub                 esp, 8
            //   8d0488               | lea                 eax, [eax + ecx*4]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_8 = { 898d48fdffff 66898562fdffff 668985e6fcffff 66398d30fdffff 7634 66ff857cfcffff 8d0432 }
            // n = 7, score = 100
            //   898d48fdffff         | mov                 dword ptr [ebp - 0x2b8], ecx
            //   66898562fdffff       | mov                 word ptr [ebp - 0x29e], ax
            //   668985e6fcffff       | mov                 word ptr [ebp - 0x31a], ax
            //   66398d30fdffff       | cmp                 word ptr [ebp - 0x2d0], cx
            //   7634                 | jbe                 0x36
            //   66ff857cfcffff       | inc                 word ptr [ebp - 0x384]
            //   8d0432               | lea                 eax, [edx + esi]

        $sequence_9 = { 88852effffff 8b8548ffffff fec8 8855ad 88854dffffff 8d45e8 6689bd0cfeffff }
            // n = 7, score = 100
            //   88852effffff         | mov                 byte ptr [ebp - 0xd2], al
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   fec8                 | dec                 al
            //   8855ad               | mov                 byte ptr [ebp - 0x53], dl
            //   88854dffffff         | mov                 byte ptr [ebp - 0xb3], al
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   6689bd0cfeffff       | mov                 word ptr [ebp - 0x1f4], di

    condition:
        7 of them and filesize < 389120
}
Download all Yara Rules