REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

Aug. 9, 2024, 11:39 a.m.

Description

This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming (ROP), anti-disassembling tricks, junk code insertion, exploiting the Structured Exception Handling (SEH) mechanism, string obfuscation, and API hashing to hinder analysis and detection. Scripts developed by Netskope Threat Labs to aid in countering these techniques are also discussed.

Date

Published: Aug. 9, 2024, 11:19 a.m.

Created: Aug. 9, 2024, 11:19 a.m.

Modified: Aug. 9, 2024, 11:39 a.m.

Indicators

f741b66592c42e73af7adc46815cf6183765a2fb6a5f9f96cc75eaaf7dc15402

7bc87a26137cc07cabf31e6e4bcd0e514846b5dd727a29132919f2e6b317cde8

3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545

3be974b04f51296db884e46d0baf9e750a79731376d06887377bde3d6c3be6f6

Attack Patterns

Play

PlayCrypt

Play

T1009

T1059.006

T1059.001

T1497

T1140

T1027

T1059