Forum Discussion

netcat's avatar
netcat
Icon for Bronze III rankBronze III
2 months ago

Ransomware: Bad Rabbit - Registry key

Hi

the question is: What is the full registry key path which gets registered in regard to the "cscc" service?

The obvious answer is: HKLM\System\CurrentControlSet\Services\cscc

You find it it on the analyst vm in splunk, on the malware vm. But that's not accepted.

If anybody knows what is actually expected?

  • So - I managed to work out the answer using OSINT, since the lab didn't seem to be working at the time I looked at it (August). Though, annoyingly, I didn't record specifically where I found it. The actual answer, is like your obvious answer, but with another word (technically, two words added together like "TwoWords") added after "...Services\cscc\". 

    My notes from the time:

    "Cheated. ;-p  Googled and found something saying you can find it in the results of searching for "cscc registry" - however, that search returns zero hits for me... is this lab still working?". 

    Checking today - that search does return results which seem to include the answer you need...

  • So, basically it's asking for the 2nd registry key set (at least in the Splunk logs I see). And the question would be as good as: "What's the second registry key set? Include the complete hierarchy in the answer."

    I have to admin that "key" is not concise, but "the path" is really confusing:

    • Two keys are created in the Splunk log. (Did the author see only one? How did the other keys (five in total) end up in the registry?)
    • The registry has no paths, and if you play the analogy with folders than the entry holding a value doesn't belong to that path.

    And I have to admit, I keep notes only if I think it's worth it (not straightforward), otherwise I'd just re-do. And ofc notes of general interest, e.g. event codes in Splunk).

    • autom8on's avatar
      autom8on
      Icon for Bronze III rankBronze III

      My colleagues are less keen on my incessant lectures on the importance of keeping good notes. ;-p  However, I continue to go on about it, to their annoyance. Many many times it's proved useful long after the fact to have contemporaneous notes to aid my appalling memory. I was a scientist first, and what's science if not noting down observations and the results of things for future reference? ;-) 

  • So - I managed to work out the answer using OSINT, since the lab didn't seem to be working at the time I looked at it (August). Though, annoyingly, I didn't record specifically where I found it. The actual answer, is like your obvious answer, but with another word (technically, two words added together like "TwoWords") added after "...Services\cscc\". 

    My notes from the time:

    "Cheated. ;-p  Googled and found something saying you can find it in the results of searching for "cscc registry" - however, that search returns zero hits for me... is this lab still working?". 

    Checking today - that search does return results which seem to include the answer you need...