Forum Discussion
Silver IIIRansomware: Bad Rabbit - Registry key
Hi
the question is: What is the full registry key path which gets registered in regard to the "cscc" service?
The obvious answer is: HKLM\System\CurrentControlSet\Services\cscc
You find it it on the analyst vm in splunk, on the malware vm. But that's not accepted.
If anybody knows what is actually expected?
So - I managed to work out the answer using OSINT, since the lab didn't seem to be working at the time I looked at it (August). Though, annoyingly, I didn't record specifically where I found it. The actual answer, is like your obvious answer, but with another word (technically, two words added together like "TwoWords") added after "...Services\cscc\".
My notes from the time:
"Cheated. ;-p Googled and found something saying you can find it in the results of searching for "cscc registry" - however, that search returns zero hits for me... is this lab still working?".
Checking today - that search does return results which seem to include the answer you need...
4 Replies
- autom8on
Bronze III
So - I managed to work out the answer using OSINT, since the lab didn't seem to be working at the time I looked at it (August). Though, annoyingly, I didn't record specifically where I found it. The actual answer, is like your obvious answer, but with another word (technically, two words added together like "TwoWords") added after "...Services\cscc\".
My notes from the time:
"Cheated. ;-p Googled and found something saying you can find it in the results of searching for "cscc registry" - however, that search returns zero hits for me... is this lab still working?".
Checking today - that search does return results which seem to include the answer you need...
- KieranRowley
Community Manager
autom8on I love the fact that you have such in depth notes going back so far!
- autom8on
My colleagues are less keen on my incessant lectures on the importance of keeping good notes. ;-p However, I continue to go on about it, to their annoyance. Many many times it's proved useful long after the fact to have contemporaneous notes to aid my appalling memory. I was a scientist first, and what's science if not noting down observations and the results of things for future reference? ;-)
- netcat
So, basically it's asking for the 2nd registry key set (at least in the Splunk logs I see). And the question would be as good as: "What's the second registry key set? Include the complete hierarchy in the answer."
I have to admin that "key" is not concise, but "the path" is really confusing:- Two keys are created in the Splunk log. (Did the author see only one? How did the other keys (five in total) end up in the registry?)
- The registry has no paths, and if you play the analogy with folders than the entry holding a value doesn't belong to that path.
And I have to admit, I keep notes only if I think it's worth it (not straightforward), otherwise I'd just re-do. And ofc notes of general interest, e.g. event codes in Splunk).
