Forum Discussion

netcat's avatar
netcat
Icon for Bronze III rankBronze III
3 months ago
Solved

Ransomware: Bad Rabbit - Registry key

Hi the question is: What is the full registry key path which gets registered in regard to the "cscc" service? The obvious answer is: HKLM\System\CurrentControlSet\Services\cscc You find it it on...
help & support
  • autom8on's avatar
    autom8on
    3 months ago

    So - I managed to work out the answer using OSINT, since the lab didn't seem to be working at the time I looked at it (August). Though, annoyingly, I didn't record specifically where I found it. The actual answer, is like your obvious answer, but with another word (technically, two words added together like "TwoWords") added after "...Services\cscc\". 

    My notes from the time:

    "Cheated. ;-p  Googled and found something saying you can find it in the results of searching for "cscc registry" - however, that search returns zero hits for me... is this lab still working?". 

    Checking today - that search does return results which seem to include the answer you need...

netcat's avatar
netcat
Icon for Bronze III rankBronze III
3 months ago

So, basically it's asking for the 2nd registry key set (at least in the Splunk logs I see). And the question would be as good as: "What's the second registry key set? Include the complete hierarchy in the answer."

I have to admin that "key" is not concise, but "the path" is really confusing:

  • Two keys are created in the Splunk log. (Did the author see only one? How did the other keys (five in total) end up in the registry?)
  • The registry has no paths, and if you play the analogy with folders than the entry holding a value doesn't belong to that path.

And I have to admit, I keep notes only if I think it's worth it (not straightforward), otherwise I'd just re-do. And ofc notes of general interest, e.g. event codes in Splunk).