REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques
Aug. 9, 2024, 11:39 a.m.
Tags
External References
Description
This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming (ROP), anti-disassembling tricks, junk code insertion, exploiting the Structured Exception Handling (SEH) mechanism, string obfuscation, and API hashing to hinder analysis and detection. Scripts developed by Netskope Threat Labs to aid in countering these techniques are also discussed.
Date
Published: Aug. 9, 2024, 11:19 a.m.
Created: Aug. 9, 2024, 11:19 a.m.
Modified: Aug. 9, 2024, 11:39 a.m.
Indicators
f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402
7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545
3be974b04f51296db884e46d0baf9e750a79731376d06887377bde3d6c3be6f6
Attack Patterns
Play
PlayCrypt
Play
T1009
T1059.006
T1059.001
T1497
T1140
T1027
T1059