REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

Aug. 9, 2024, 11:39 a.m.

Description

This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming (ROP), anti-disassembling tricks, junk code insertion, exploiting the Structured Exception Handling (SEH) mechanism, string obfuscation, and API hashing to hinder analysis and detection. Scripts developed by Netskope Threat Labs to aid in countering these techniques are also discussed.

External References

https://www.netskope.com/blog/replay-revisiting-play-ransomware-anti-analysis-techniques
https://otx.alienvault.com/pulse/66b5fb5b1e1327099012c06c
Tags
ransomware
anti-analysis
2024-08-09
playcrypt

Date

  • Created: Aug. 9, 2024, 11:19 a.m.
  • Published: Aug. 9, 2024, 11:19 a.m.
  • Modified: Aug. 9, 2024, 11:39 a.m.

Indicators

  • f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402
  • 7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8
  • 3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545
  • 3be974b04f51296db884e46d0baf9e750a79731376d06887377bde3d6c3be6f6
Download all indicators here!

Attack Patterns

  • Play
  • PlayCrypt
  • Play