After a 2017 year of dime a dozen ransomware variants, 2018 seems to be a year of dime a dozen crypto miners. It only takes one big crimeware actor however to start pushing ransomware[1,2,3] to gently remind us that ransomware is by no means dead.

A number of articles have covered the various portions of GandCrab[6], including how to unpack it[5]. The sample talking about in the article by @_qaz_qaz is what really caught my attention, because it was using a crypter I had been following for some time and made mentioned of briefly in a blog post I did at work[4]. Lots of obfuscation has gone into this crypter over time and judging my tracking it uses a dynamic stub generator which basically takes small sections of code and either turns them into useless functions or adds in useless Windows API functions calls or even useless opcodes between the instructions. Doing this is an easy way to defeat heuristics designed to find code reuse and makes writing YARA rules sometimes challenging, but it also makes the crypter more interesting because these types of crypters if kept private are usually used for very long period of times.

Crypter

This particular crypter ultimately ends up decoding an unpacked PE file sitting on code to load it using a variant of TEA[7]. For other malware using this crypter recently was Emotet, which was using a secondary loader full of Anti checks. This secondary layer I haven’t seen used in any of the other malware so it was either a wrapper layer designed to be able to be added to Emotet or a wrapper layer option in the crypter or a secondary crypter all together being used for Anti check purposes.

Variant TEA code converted to python:

#Modified from https://github.com/grumdrig/tea/blob/master/tea.py
def ul(val):
    return val & 0xffffffff
def test_tea(key, block, n=32, endian="!"):
    v2,v3 = struct.unpack(endian+"2L",block)
    (v6,v7,v8,v9) = struct.unpack(endian+"4L",key)
    delta,mask = 0x61c88647,0xffffffffL
    sum = 0xc6ef3720
    for round in range(n):
        v3 = ul(v3 - (ul(v2+sum) ^ ul(v8 + 16 * v2) ^ ul(v9 + ul(v2 >> 5))))
        v4 = sum
        sum = (sum + delta) & mask
        v2 = ul(v2 - ((v3 + v4) ^ ul(v6 + 16 * v3) ^ ul(v7 + ul(v3 >> 5))))
    return struct.pack(endian+"2L",v2,v3)

Decoding example:

#Decoding first 8 bytes of data from sample: 643f8043c0b0f89cedbfc3177ab7cfe99a8e2c7fe16691f3d54fb18bc14b8f45
#>>> key
#'\xd6\xd0\x1b\x19\xac\xab+\x81Q\xa3\xfe\xf1\xcb\xab\xf3\x8a'
#>>> test[:8]
#'\xb2\xfd\xbd\x80\x1e\x96\x86n'
#>>> test_tea(key,test[:8],endian='<')
#'\xeb\x03\xc2\x0c\x00U\x8b\xec'

Crypter tracking across many families

MD5 SHA256 Malware Family
63b29e81f4c442b337ce5d6a873aea98 95db92a5261045266dcabc20975dc37cb7becf36d920f6a18f22f323772c6189 Cerber
d833a2a3a680666c338ffd8f351a0dce 20ddf7c3e18d0a0f9f1bda805b4d9667c34c66e77092061a3d14c9e159dcbc28 Emotet
2cd1ef13ee67f102cb99b258a61eeb20 6629bdec50bf60a8bb95bf4051d1a9fa943b39a7eddadd4bfdbc2bcde829866a Emotet
bfdf311cad652de3e51a581ec3a19338 8d8576432cd79c4c6a8902e9fcbdad16c871afae3731a4d9ec9cb6a0be727ffe Emotet
c4852dcbcebac45031166328d501290f b7d6c01346e9e0d12cca076f5a33708fd687044590fa570aa125a796a524480a Emotet
95061c2ef2b539a3795c7ad1826508bb a483be7af8810eb5b0088ba0708ab8b9bec1687ff6227fc7c7894f943acf8138 GlobeImposter
a54a3a6f5070678c6bd5a3f6904ca8ab 4bf60505fc62d736c8fa35e4160746fd3380a8ff7d7b125b8f01ab8d271d9a5a Gozi
0506fce5676be8b108a9d5521ec4bf9c 133124bf43e8442cf8f0f14336c580025c931a52f14a7e8ebc66b7ed32cbcb57 SmokeLoader
151dc52c82d74ce551e2b8e9b5f5b82e 55fe74019942553c343f814448547109d8f7a912830b7fe64790178a82fea4ac SmokeLoader
129f571df6aefce54716354333e7e510 6f00a296be1ae0d5d5cb46fac2677f634b0ece4893506591533406ef70d62fd0 SmokeLoader
7351eb4071cabe4dd840dc16f8cb9572 7cb5691da78c0971ff869cf711bcef8e7f6b85d4258003b0d4ca596abfc52074 SmokeLoader
c0f69121c66d4a2eeb7ef9eb1510faec d80dc8554986dd23539cfed99997aeed9ef92fa29230a0adbf4fb8371454e9a2 SmokeLoader
7e8516db16b18f26e504285afe4f0b21 1cd6f992fbeee0a66e1c329e15db71fe891ae0e845867d6d30df867babe5bed6 IcedID/Bokbot
439d6732fdfb3c3239e8d5a065fd0e69 8382b7b52da2f472a7e2cdc0c1163b05de5eb665ec557ec2f8ca94ef7bc6596a IcedID/Bokbot
4ab1825b7d6d8c9722f69b4f0961ece8 b06052b00e018cb975bd185d6d110c55a6b4ee5efd9ced7c74dde1117344db6e IcedID/Bokbot
b5a3ea87978f8880ce4182b65e55fe05 c80b651441100ebd8e74acbbbcce9983b6e9a51e6b42d87856c522e6f5646cf6 IcedID/Bokbot
6f7db0b445b0f8161d5bbedc01c6ac86 0f3e5470d418f41caa9e9e766574a7df03fe0f6c5e5da724227a58c6fe26a172 Meterpreter Stager
36a0cefeb8b0a606358142d4140ea7cf 467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be Matrix Ransomware
2238d94da59b7dc64e61cc5bbc785963 478d30cd4463f555199225e255f8c83a68bdb39f2fa4c2f06893f489681349b5 TrickBot
939766d8b2c4b0110018d5b07661c518 437f7e76026b069fd1a25f633f250418792c77e94f77cc2bb7b6d03b897b17b0 Zloader/Deloader
a635d6a35c2fc054042b6868ef52a0c3 643f8043c0b0f89cedbfc3177ab7cfe99a8e2c7fe16691f3d54fb18bc14b8f45 GandCrab

GandCrab C2

I previously mentioned a good writeup on GandCrab capabilities done by MalwareBytes[6]. The only thing I haven’t seen mentioned in any of the writeups thus far is the C2 traffic. Taking an example from Any.Run[3] we can see a large amount of data being posted up to the C2.

Inside the bot we find that the data is Base64 encoded after being RC4 encrypted.

GandCrab RC4 Data

The first C2 session the bot sends off a bunch of system data and the generated session keys.
Request data 1:

data=mdU+mIEkDgfqAIOO+CErOIcj/44TH/51GoHl5EfkGnf9ew2nbFYTiXbpn1RI3mZkX1plnjhmsHqrbVFqvqHE8MS/80vPEVDx5f+EwekmIycB7/jKdbL2MFjmdoPuGBDuVXoMpq6K286kQl0qIrDqk9Ox5eoGiy60aFMgnFOMbFAIJ3oCMIq/5lX72BKfVy6K26J4Ah0RhPZ0qaFPqQ7cRfH/F5cv6ab5ccumuwPq4IXhlyXyV4b8PDDntUOTLpXoH2WW1vLscVWRWkaGfvPah9xiCYekQXXxjJxSENrdgb2Uy64HSV/VnpFy9Id9t1bnTCOMLvKFPvDzwYzbBWHZvbAJDKjBwATxmZSyrTeol9WIiSfLdU0IYpOEOKUXZkU7vfbo7VLZgs+s1vpbSSMJGdgNM6R7a8mM7MxjcE0oQ0V810JXMtxjLb7M0GFk59IYKjKFO1/YHQHgcYRBawCVp24z5KFrlREI0hELB5aWl+E1/+vZPjpTIgLg3ZNllFK2HKnQan9jqDuKQngKV4plgJ926ByX2fJTRqg2dxrkEB0xLk7he2ID0/+vNxS6+Gu1lrI7Q4pIjWrOlxQrbLZ0IZLjuAV048GbBlKjLTCtIZc18J0QgJo3D4BXSiGMjivNitp5HauUJP+7N1QmBGuo3bLckDc6+X/BIQdZ0Gy/1UKiBQ9cNvrEz2QGRVwaSMYV9pY0+1EuCYzfhhnFxeJ4lfPRCIt4PwJoJj6Z4EzW4gKf5/g8FleWrdA6WNmtyKd1PrtOvTBfHmouz8R6MMyuUaAWotK9q2vFMBnwh5JWFugiGoyCmeUnGGTHPnLhafTphbD7brnKiP7A2BLdilTres+XOfzUjM5lUaetuuB1KYYpJcvHcIBaZIpTsdguFIqrk75MCGs6Bp+waPiCVg1fDPWarABSkICqDCHfoVcusXleKirmUDSTigk94qxaz17vfcyVRSvQ8dQHnEtT6Yef2I8Rk4uYVtPDUMkBXzW/iJcnHuMV+8+tR1toRNQ19MMU42nl97L4sQ/8Hb6jq/TFiOl/cxc6LCwIYMDlGXDT/oiN66vR2YsukuJea5XpwS5Pfgc9CtHiL370f8ztaNVrJ6plpv02egSBkemr6Gw8o8ZwvGmK8F+H1ONWzxB8QdSoQnRQUsRCZtKvCEIwWw1ELyuz8qW/370XhXn+Mt8vdoIHaI6qbND4s/abv6XQoONmarouZxtnmOtZOcn4SPsdX5KhmKuqrz+vMBJEE511Lwk96YwROboDMslyNTA4NRkSE7/XfhThqlEt1gjC/tYOvht47Fh3HC7+gJkw/rZmiepzXcYpoFSatoafMzGw/TefkJkM0l9QEa+nC9SEXY8+O1McOkyXOaETUkCIzss3nNhV7U+LWWA9UsyVjvtrLn0F28qzOtb8o9kTzcUECxEk5tTJ/u+ry8QOlIdqI1QSoRE1WmumBKTVVgTk0AICYLb+c9c3AHma51JR/tSFrsVn7mWt1wWdj2N/LXtaVKJ61tOl56pw5UN8iz2mgbJx6T8jPjNEyNoizVjC793CDJYnNWHKzxkV2hLrcoErPbh/rwwZSbZVYW1VTFBJNMvwz09/mC1+SnDe6/6yG/5JkgXUXsWkQRd/pk/bgrsrLZ9XbBkI6d7MLKFIRyiZLB8OW3jmxF599z01Iw1dNi1PwL33KotYMIzyMvHhk4Wjof87EP2pfBC9xj/V5l4T0PGF1xrYQb6lJZ96C+VJY+gYlS3ln/6eJwrO4CXJi9/hgem+IWNwPy61xpz/YSqkQp93eHFZQHHe+PgMGY0n6Sfpxd1Dcq/0krXAlRUa3DTngSuqtFDqofWeCsTpUJj/Ea9uGXnzlVNVWWmuYNs2sqRSzPrQzoatAql9m5Q3FH0VmhLVC/LJjUfYeqX/ytbgKPWLI8Yy63ZgOzve/e8VtOgGmJ3G2yYmH2Bgxq1ZVuJlwHtSck832MtQ92++A2FKI5duIcl31nDrKRvFjJDiljgyglz6iTEXi4BzKwvLFzNghJuYdU2TxPhwD3LqT/sAJNIaxzJ0KALVvH8oW24o+Ea2D25ByK+eePVgBUBOk0ka0xRwNVutwDhKKuLpy4hg3tPaIvMSgJzb5xQgDhPiqD3SnFhnJDVSm9Uij7NnUZZhrz+n/9JOsm9HtW46TtnbKsBXlIlQ0ulg+0QcN8MytqbXdLZF4AZK5Cj0MxArlDEFOOQ/KhonUmgD/bmwMB1OAwOiyoHaZyWyUiEoEi3IfIx33f4u3zKle9XyYlY7Lpru6knt6smx3mhcpnAop7oVEMcL8r2y9um3Bs52KBYlTG0BLwcYe6Gknjb1Uyyb333SxFxmlAjsitCqc/N1ne3mvYyOS2ydEkrLJOK6HdrVPZVpaWM8vX5S5pvf0Z44VuX/Xw4Suddy5dqa5Bbszl67rHL3TZypXdDDQqsPb7ShQXoqb0yY+q1ougSoRJCw13g+ZtzJJnoqQGvBx0E9a9GgMWHkIDvNHI4iVfFsrOGSdAkzgGIt9dIzhqCDonO/b5r3qeGE5vdY/HugR55k6FCZKiEgrXqIuLa/mHPcvpaaObaDz2b+z+slIbpgXNIKTSWmt9QyofGRbndRW0h+mpjImegODy03RSZ2VID2NWHb+UTt0tOu+WXdRrlsXLTZa0TtOBcxMSLVf3BP3r2Uxqv8U/by5xnWui8aV0E3ZslBqF8hq0gg0WUMSknw6DF/UpMQ6E2NnK6g/iE/ezV0s58UhuRpSR0so9weNdmhqOXc4XA+NjeLOPWPo6TA6mWalW89VKOaaI+7W9s8ASE78xC5jPl6/XMbvsxKk2ZLFko1IHwZYey8VFHYmEKZR3ppF+D/BrZ90kpzyZ5AquV06odooEkCvJBNXF4Ypg9ZEX7Z8cz3yF4EWrl7r1XZa0BzHi6GfiDCcs/M/C1K+1Ap3cTR7jm/s3tN8KKKmvtSUqNT4Tzw6GUiKQBlcEv+onkJpbiC28Pa/AXDTDFnms61j4/lXi3HF1e7hDjnIqqPuZxt6Hz8FIv/4p0fCQgLjL+mc+/T3MC5VizXDK+8oQ2lddwzIIFxy7RSTy9TlTy00x9oXHoJfYubvq1AsIa0ykkQEhtQA50QrL8SXaOdeB2Z4zsHYLMeC3l9Ni448zUzWaMrMyTKENE/oWmSwMdK7FDJCOq2Bv5JT4jJTwo1vnMpOTnJyOQmAQyULRB5d2EQrJLTFc1FFQwSgDT2AGjxuoDZ23jaPyzOVjwSWscySbZ3VAzQzkrCPH4uZ4HJSYv7sRvHZm/lO24RdDOaeOExQ/ADN/bz2RJ2YHg2Qt50HHvrGPMpoiAVkm1YAiwUa+zmV0N0wAmjung6Kd6TiBigNfEZkK8oyj31SZkyB4bnozsoQRe5YAljHDbyQwE192/xPpi9Wp7V5L61gPgfI4Am3GCVTpLZa1t6zpMCPEANlRAJFXFcIH0eQ57cmmChpbmnMIWk5rPfETaxgaayAU6IZaKSFRDyQNCM+X6LEFog/nByn5bm7TkqFwhKZxvwjfJsD8VwZs/gBSwqju1OhquN8f0J59RzchnmEpcuHfwc6mT0ebEo9BP8wKr65tH/gwe/GIb7fZ7fnopKyTdX/8GIvP3wDjiCWbuNUa0i11qB+040loHI9ex60ahXRLbTVKhDoEnM8HMcpIz1aJO6f8F7HgjiFhBsLB5LhTuebujTb85QqsbLbPjgbA2NksjlED/cKeTsA0OVFQPEmpqAk+TvPtDaM35WKQKFsHfFNirVjRdUGafwvaQQ9VIUznEMq+3xOyhwM1RtN35Xje7e41JwQCIC2LxKLbvuTriwYPtz9Z+FueGUImtw4KO+jFR0ySOGwm606vYNLCZpPdKhEJcBIq6Lh2rJAAuWfsfJdBjz1GQSkMgo2i/ZhPn+hJ6Odk4TxNCPbGH3HI9smNt9NqpnBAa7MFY1XR+bli63lUPUFEdnQoAYHuVJtOR3AlwpPgteyGB+UtM0u+P2a8vHEzc9mFciXSXjuI8Ab8B+bEZSAKAbvOe/rQDJLoZGHCqOIsrpK+VziKjwEc1br5tyKwGIGtiYDTAErYR/9u6f/94Yt/pKvQip323FXdS4T0X7gsB4n7YfTnsqbV3USYzx6BX4lVeBJ6y0yVBD19HGWdGEYUo9UzAbghWnlTEd1VLByoZdO/uJI/7fezxuPmvAbeLIU6Q/t2v3aigld9BW9dnTRk4LhnQ9/KqM8n6Xcko5nS2feJEDMPcW9uWfVjHpGjWOm518hfVdu3MmLwOqegxFsv4J9B36zU3fuFXo22zw+Bifv2SXe/J/9eGlsKmYpwy0/bBCktmLFR/rmic5OkT2MAqAYzrGRAzea14t5OBNAZL4TrVnzEko5eEJO+eJYqAf49i44psOwlYm09ytXZQ+yZkMCcAh4k4xQohQMUjysc4uGIhghLYVB0YFaA/Z4+We0JeHlelg7TTxwqOaf8e2mhyRrCm3nKKwt2GHx9HL4Eq9sTKsGtZ1q+pa/+ISW0jlZ3OlOJ/LtKXsqXFB8DTZcu42TYh8jEdF347MisM2zmWcSwgOVCk7YCqzqVqsX/LXl3V7+cesDtdH8MEjbKbVERiv8sBAT6wutZnnY7Y2rjrFJ+nheEEFQU7iNTbHSlpm0KApDCXhD60+V7noG799iKoZQypFgalssBsD9TnazQf7Koz82Tmokv5UOSDaiOY2vdRqhEmO2QtDaEknWm6GzwChr0FWsHoWEDHoSKVKaTGb2XJSdtgXuH7BYghcgiJmTwNK9D8i2QQTv5+5E2jolPAVk1L7D2kcGwcd6pqUt2e1iPLOxqMcjFhGi6gQqZSYF+ujEvLEJjzOGCvMIeRRHJqZkSPAhOd6v9rImqin9HJPvg8cu3jNFFGnoHl103z+FyGjXdLufYYSQlgmWH72bPj0bVl0y2EHK1AqtUeEAH+TVnczwNZvcMR3edEQu5CEoionLGMyzui23/VOey7DBz4BslFpqBe9M+DCD3Kkw1V9CU1PGssfyHzZuyIWkWWQdB5q5P1IkT+e2A8rSZyrkYkotkr1BybmOnsYz4TXtxKZfFdMKvU0YzxAkPTz7o4HrT0Q9pkSQTlNH41BhMhqmOfcy5vpDrQVp/6TBA7+nMbUFMG4YTLlqmEyMyefnHvWIAxdbfoQGMGaYt2YQY9xgcj+A5OnVi7j85dSHHFq8Aw5+c/Tq+Ww/ZQrqtcyvgyKNDQpXAmvKR7+UTutLMxjejQHYRcoJaEGJUt+qx4WCmBnFqAC5kvCdz1Dtz3PMu5Xct3HhOwZ43jI31YZ+jzD9ByNK21d4UUl5UM8tYty/QcpH5K6S14/4RvWrjguS2mejno7r/oYZFHtjdWVc0OZbP0PhzlG9fGnTsdFFo2fjprGbttjG19nep6n7KbA7On9FblEeZK6QU3n1ryB2s9LrIgK8JfBCRWTJ2DV3+rYV9HnEgNKrFkVRpq2wmmA+DQyCbSkiK39kWMJJghEsobLAJdJJGGJ0NLGioAsDBHp/RtXjnnbjdUHNiwHFj3lOrJFLJ8TdyAhqrlqyCmMPt26jvELnAbaV21kQFcHcwKWfcOEzLATrDqbqyrvqS4ySOe/9mJ1cviDNV9T9uslhECiNbQJBzxHiI4DCNYA5jg2JNpC8NFrzx2lR2YR0n4SluCYSi04JymCGLk9wAjkajB95keT1rAJLk+mrU/3XA6RO9H9wHFd1STvdoAav1Ea+85wruUsRJYsc739HqLtFMZ7N25Yj0JBTaxoy92UjePBia69Hgn+X8e5LQw=

Decoded:

action=call&ip=94.242.239.162&pc_user=admin&pc_name=PC&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 7 Professional&os_bit=x86&ransom_id=6361f798c4ba3647&hdd=C:FIXED_274770948096/25806807040&pub_key=BgIAAACkAABSU0ExAAgAAAEAAQCdWRGeo16TTRMqPmEWaI7MU13l7Fi/TYla4ZiwsJ82nFQ09DfYzVcE2jlChaRC/3A8sP2n3BPfdb3y1AxhBpSYNtR5aOOERjtVK4docwrvvlS5/IhkP18KEkGyVED3OPrqzcVwRaZuHcJUrLLQQQAEEyNuJWrki42EzW2yEhUYd36PtJdSqv8UG0tilod2rKAAQ8/0aHZdi8DBzFVA9MubbS1RXH3k8mm0JVgOH7Cl+r7/99thPsk8kK7yFsMGTuXPYWjfSGaOcVvzz1lEhF4/7kkVCQX1Qn2udDa+5Z+s/CxxmNSrh/3+nqEwleOKdjtTDToOOmGPTGNnC7gbKCGX&priv_key=BwIAAACkAABSU0EyAAgAAAEAAQCdWRGeo16TTRMqPmEWaI7MU13l7Fi/TYla4ZiwsJ82nFQ09DfYzVcE2jlChaRC/3A8sP2n3BPfdb3y1AxhBpSYNtR5aOOERjtVK4docwrvvlS5/IhkP18KEkGyVED3OPrqzcVwRaZuHcJUrLLQQQAEEyNuJWrki42EzW2yEhUYd36PtJdSqv8UG0tilod2rKAAQ8/0aHZdi8DBzFVA9MubbS1RXH3k8mm0JVgOH7Cl+r7/99thPsk8kK7yFsMGTuXPYWjfSGaOcVvzz1lEhF4/7kkVCQX1Qn2udDa+5Z+s/CxxmNSrh/3+nqEwleOKdjtTDToOOmGPTGNnC7gbKCGXdcgG9qEsVatTI9kjqITIdUmHdMnBkGCQYBIqVlpERXemZSqm9HRjkJu3vjCMD7sAFYLzdI+iBnVFtyEB4SsE9W/vH4mrV50TYnQZ3fgIvR8oQmYXvxOLSif2jylq3s+66VuPJSoaBvmfnBgz+k7dKDW9spnkHipY7R0JnhaGccuJZ4UhibIfIAY0gk2X9HvdgTSBURoGTQWpv6eryAKlJFjCRoUbzo05HvvKEfycc0yQgkjbzx0iBLqrt+rUN0VUCT8dfs5FuEVHhTQjR34QQQJBD2qNmYupP9t2eIebHrFVIVCZ27hidOXzQkbHFzAEzMybU2bjqDPb9fq/tOorvpVmpVX7BFTwBtW6oKqXS3luxohHlNIHdDmkq2892arrV8VYbPe1JkSQX2V8kOLo3iKSTn/ad/l3Z7oY7v4oo/kJ5Zzh4E0ru9l44bNkEkJ+zI9Xpxvpmd5IPJTSOem1EiHbo/8sijoK4WRJxHx3sLD5PUs+zx/HUYsO28NO0w6+oQ5zG4/dmDzfi94QUEy4ujOd6WA8q3qnrB1d55Go60EtN8pByYm2WGF962ZiMTW3cDMeoNfBp2q8qe8l1P2zNrNrb7xvfyH8hvcA0Wt2wgQpKrlcV6jr6lalorpp5S2E3xaCssfCg38Rxtw4Ta2njDHrLBHgOp56vF9m6/MpmbEL78gTVHYDWd87mIRSduwCqX2Xz8Gc6Roia/sriN3D8Xrss9441BA8Cgt6BvTynhFOZo6za0sblWLqEjA2WtASzIq5Aq9DqQrFi/u5/4t+T6u+LwZbEQXRd0nwRAb/p6EwMITjo08Cwu2jKxI65RrOPSkUfRdgyWIg1/w81GA7t8HN5VxtQR7R2E2dv59Uu/bqOawJ7pOxWg+ZbYWtk0D0yCbl+i+yWE2XFsnDIj1z7JQbVzAjSeorSxXgxYsglpKuVCtN+fVn1r/58oyKttjCHddAVyo3kyQaJvtnUdLJGC8FbQLyUTAcB0GRw9ubkVW3n0p3bIPTA6arFxZTOGanSVkcgjnyvt1i7o/abyULrEnYdSLv97XItjgG4J3v9tEar0rnVhytr4gd3j3MKhjXYfEybYjmHUme50hhjy8t3mLeIUwFNjZAtxmlfz5YKxbfupP+b/WBk2aO4T1YmM8G17fLlTTy6KfFC4xcBWT8U31nQYtPunYi9ZbVG8oSo4k=&version=1.0

Response data 1:

g4cYyLBlM3r+cJjsmkotQdth9Mc+Xpk2GMDUpimxEzKxOmLAHxdmzAWo4BcY6Bs2DC4N2X0S0jzVNRgImdHznNHS0y31ZxqZxbHqi8ATHmlYm6CuXeX7fmm0W+7Wbyy6WRAyja/E37S1K3wYfvfxpfT1jtMZyWXmcio4/WHWFBcaXWB2G8DA1yWJyGaGPFD98sBnTiV+kYIT5owHq0XUAdG7csMzqvnLFrKA8yS/je+l/hWkRLKvfgTTgguQaNyDaFzHs+u8cwOcOxnzKcPI69xUSN+uckmBj6ldV+e+2euziJ90XWzJpvAk7chu/nu+WRDeSs3dAoWs86CKXifU2rgiUsbAiQDJrva2+R3Jueb/ogfzHh99W/nUIusjJARSicTrnU21iKf1vawJGW0JMp16dP0GLdzkl48JERpjSSsDv1lvOe0yWaOj0EocncVgBFamQgqQGFHnFcQpYDLs314ClpRcomVCtHdpccjc+ZdOzfCSbX9TU1OXtatk0j7cddSZBysQ+wb2KAhgNcki5+QclnfBirU0LMIIHAydBXoiRGuMfQsNtI7FO3qQkVXSm9g0LagLuQ3p/RtcTt9BRo2JiTMIoMXuMGGSXRLuMfA4nZp4mOMFaI06TUiTzR+qordodKPXFJiSWn1MbBLpuqqxgl0xy2CoHERIpVjo3iivQjsvNrnGp3A0XjdIIYJy1vtFkU4cMry8xQywxbVa+t6Sff57aCURHX2rlV+BlDLhpNdJCQCVxKx5IKywn5MCK/h1yD8ILxAnjLcPA5umOoFVvbWQxn+1P1qe8vgBO4VAc4jlhYhTaG6EehXvBOKar/PeG4Kdgo71m2KokgzRC+vUOon91N8XROSiz80tMbVQZuuyZthbDqoQlL8IebjRn9dwbxNXJOW9O+zlbWBrduDZrWdy/ZXQWmmX0ldt7BFWGTSKBXfc7Q5Q4dZUjG6ISKGFdTe5wrN48UJh2NSav7J8r7ihL/Kka6QZNw2NoeQbXZ58wZipNWowd6cwt7p96z76hYegsmTgdIzEnpnB4P0GTnAhQRRgaa3/ag2Q+eGRs7qix8gp+8EZZ+bIgk4mfTQIeauhLBfFKMuea5Y6Tpgy444JOQnopdqtmxV/4q97+1P/xRyUs50792RUAuLPTxlLJZg7PrXTZWlKSl5pSAPe1tbOnMx9niHKXdVsYfcfWuXDbZPMxs2pj8jP45MTYYgkHh8k6p5rC6OBaIIHOO7MnMCfxQncNlE5efA9JTgdquZkEohmS6gbe1dNWCN5GNHkDS6i9DtPngSx/JUM1Dgs7ytNX1aUnc0tjYol5IB5BdZavhfF3LryA0K+vmP1hfRboUATUsWHOZ73JcxnUXdLGz+YeqB5Hwf5tMNOgL9PgEL4axkSNbH4kY9hbThi4qeZTPCRmKlitIdjHXxBkMWng4ex+O19pcQySXlVmWIOGTbMSOynJWani2gQCrqNTZRuan/37mFWvfHwnfZZ3n3u0nCQvEZMLjhUIZZJ2+a5pL8F+3B/+Brl99gl2z9QFXA6ovoQ/SvTrM6oH6UYRkGJjHMp6SCYXsJnVshNv2UNer4maS4hJ0geOrjSjDsUgHVxOWqdi5XbQ+o6okagNd3NUXByy1yym4keW7oPZ2wAvuq/AeIqLCPzJmwiGCKNrDMShCB2QmZWWAc8+P6SQb8iPP/scaWKg7bd0vt4cJbBT27O43zXjUJU6ILjlHuzQvnwT7I5fpBJJNNhhlTh+PjzTWGfmTyugbLi7YPXbwR4UhrZ/PXyBjDJc/NRATQ+ZhzglNg+HeMkgAKOyrA+HMWNpNK0+DR07l2i5gnH1SDM4tL5IKnfIZ6Rd9xeWn2Ytj5OKkjtF7AkgLoh3LmrpZCfHt0E2LRCATpj8DKWLpXv4GGuSObDra6NHoOAZJVB1TUnUC/t2ds19/pz99WjtiNlNhVRjrdqK6EctWoaZSQQm80l1CeMbWgJJuIHae4eyjPYXDCNnv3N1S9HrxTA5xxUkPVcfBGiOHBr8ZTPNj6Th/UFBCr5NeZDJKcFnz0dMjHdz0ZrUBsloH7bKC1pvcHGIphpRns7niR6uiEzMS6frTchP6HMvuENsr7GYcZnkPHYlA5jSn7171ShgBsVSWcVqqYCzOoKXNFDxUHkzKdf31YuuC0qO7u2fa0r16klwIRCyWxfH7ZQ25rlUt9Ihwwn6F7WXk1HlXIxTdxRCi44ERh29deAXhkNcXaT+POjRmaeJ0saMFvSP6oCyMwKsknmeaDEUTdTOcmujSqAt7DShncvhzNNyap4QvZQupvB9Kq1aNQYBWUfDxVuJEQNDrXjjETpEDTu6Trqr3Ylhn3KwvPdcLBX6NqumfiWCGH6byfLTf7tQKjffuAcJzRB1lkRzO7ohpcOS6bmKl5FuuNQpqnv8EHko1b4jAe9GsXRS5OpN7lYdd6BBkRQWw+0j4I/3G+AB4/XtBVhE62kcAkSAxux0iwLHezZCQbjTTO4F90hMukBhNKnJxFUgw8Sndxatsefz1fXTPf82sbHkIYNkk3TbN0amXDeOFIx7iv5uPGO9nifxuOKV7Ht8CXpuutLGMl9H657Fxf0wvJxkYS5FGkmXgtb76z6uZEKTAhCaRRKPae1KQbQlHOG2qqAnmuwe9V4D5W+SynpTwh5BFHEPCA914/+tbG/F4XGsG68qGgBJGJ0OLpSxXNS0QtjolY+ejr0q0AMP9Q6m0XO792YpjxMSHYlwLdM/4hiHmZHgZ8JQP3msNX/uXtGFnTIX+riqNLc2C/piywnJ7eoQ/zGGINPF2kKgGz6iYpKqm9omY8u53AIZD8xdFEpS5W9M0+1kDiSFFwONo2WNrcu0y1HpOFwhaZQjaIF9nlU1Y0qaTNFzjIaYwvIpqGesh1zL40snCLoPDsbLHmeDQiBBbvjpCc51BNyqd+/7kqM8GU5weHK/dM/KMhOiByXnQhgQikcaSzZzwBiltGFvNa3+mnLJXYAnKPq4oOcSErMegXLvXvlRazi0u49gV6bMOankaZ2N28h4cfSVpb9u7zUAFnZX+rbtWCtA/ZeALRZiJIneXg54CTs6ixgC216dsiOy54X3vyIiX5lRkwMMaNTlMoxBannWF6Slh9fS4MRSGoIO3Yvnw1KVMQIXiW9f6gAxlP/h75llWKuIof+fMcgW++1IkJPtQo5Xh6kk9EeQgHzGX18HERTr+f9eO4uK08n9X2bIAXo+Y+siRXaUjWNVEkkN4xLYfVQIR29wj3If0pbQO/Veo+4mG7xCHOcHS0CAWL0AZssAOB2BJj06Rw1ZQ1mLOEfHjjHbchHmU0p0XwtWUIuBZKlczZfriLMlDszXM79lGGvYohqj+xevwPHMupMRNuSr38FMhH6DXx8WxCBYUJigkKmIeuOGeqj+OmG8/xcb/YdsVrmNdGOHWs99uAPfyV7rVd9Zl4fZAtrBLOvnCP705HgJfadpdCpJnHx8rnxbDjlLaHhGlOTNv3E9g22UzhWkjhM7JSlqU8oJTg5HVip++Y7ALZWJZKWL3sl/eoN+t2nnMx66pcrBBGLOuRVXvFqsFeXCplrs2Xqh5+Jl5Kc9Tr4HfXiPs6py8JBuhUUmbe99OiDdXvhL+fFa94klCP22RpO5aGLi5tn47UkY/XJI4dxiTqqsyprztvmG+35JbZ7SVuOA2kvSz0lqFPSF/S0aaAnwviIYZ/EAnvkjaGidwGyHo6PQFjybW2y8JzDqoPIUNexARdrTmXriBzWdWSymXlmcoWZvMMsm3148BhOzOifKURYYHcKKBBa4O6d+TUNLiVt0v91SpWAY8jFCbQUyvGuysfXDB5Yp+/UlxdnvArBwl+f27d5e3FyVtLiFeJXZc7jnin7dUPRNLT4NwKE/jMs49hrnFj006SN9d31AWNEg6OxL2KAVdgz68M+Nt1/U3nITRUvKhnDsl261gyjECpDMfBbH5J62eAEDh9lSV0z3hNdEalDvY2nGNWEZ0Bnq3dRJ2anz4MzT7RwLzYnB+cXjLf8nWfqQPIxdX37UfeqUJIowJWDGo4X2KE6CHX2Wc7tKXgA19g8t5vOt8YokrlGyD/hyl2UDsDfRyv09cEwl8UYDShdTDD9OveyrGKj+EqzG/TepXAAp6T1Ea73UglGJCEpiniPwR5uqxGMvZNvDIi5YIOoIA9ETn+XSIzTAONYrAXBEH5md7d9m8rjUw034UpT0pu2m1/wCCQRrj3MOfYjXtQj1qaxIyC+IF2y2OkJtaIl0nplXXaxLScxvb07gQ2t4TTQ+3OdizuCywbchhGALM9LjaKwxavP3zmWvps3tY6NYwmSoUA3VEqcNTmsGgaFMHmLPH5G7qM1dJygKtwEj0Vd9osqUMnKZtUwjqnVltgot2FLw6WpHoxL7vQdOehimztlL6NjNAvhxP5DLuFZx4BgJyshWBuakJClvd305KoSlDO2rdCBPJ3Pl3Kh30/02tumzUH0wJLNmWqP/kG9WZEMvNlGjJJRWjKcVRDMNtzLwf7erBx8oze+CIA6JZ0GvC5mmKb8roAxu0muVzotF15OeRiUmzD/W5X5+VcTy5SXaeop+6oEL5Cyb3a2me0Tecsx262Mc98wyUOrKILKEQ9iSSDdWiuEeS9D4rFCQXbjaNRQNsqGU6wO6ul4OX4CxNoO82J54W73viy4WvbOjhnYpLllSlmZ05wi6v4aoQ65o2gAWTxyaW312Vi+w1IRrQk1U2uSG/IKGRbc+wZERIJjnj3LFxNvjVExF2Qm6mc0sSlQmPimfU2RjJkE9EyVJRAicgl68fSTzlrczpWtqJpl1yEA7KN+pu3LVOjEZpzCXxa3WkzWT9JhJtm/9j2u/ddm7J+vk8bbxFgmv2hl1Q/9Dyilxxob/0zAVBnEcLzXTZVrAj8aNn/GTrvUCnIarlE8eEVNoCmdMGnQShBPrtxfIpd5Ht5+l6CM23ZACQ1X/vT1/5JHFVLxBUcw1W4HiCSjWt6lKRzb93YESSpJdNQr8D/43BR4nlGgDToNzZNppSzN/GgfJ4qflNon0V+bOhLlQ2B/8+rO3wLaXTBDRNNddFUc996d6ucI1Ht3yPdvKG4kUOpi6uMGtqTfrKOHNtoP9MH0LGDI8+WHNaaNDw+VwwguVBLxnwvtTR8uUrlRKM3dVK61AvZBqYDecJnkWx7Au6QhBDITwRZ+37zO6JGB/acg2a5xzD6BWXodKUqbXBiTaEu3b9oWLVkBCmtrFNRRSEEVh10xbXgJDdRuoVmxTH4whSeXJoVPMdOyp4FJ11qLzSMrl2b3zXWdTEsz1TMFjEJbjeUZijRqX/WZJStF2ljDyQ1AegGL539cppQSDFKunrKKHWvxeLpO62oF2paiINctH+SP6ZGoPrNNchsAQPD6hZ+p3o7Qe68wEMG/Jm+J5Mizs8EslOYchMeoGXK7STei76mcMNCJPXRB1URyUvSIukLTylMHZ7Hei8Tg9kJnBnhyy5ysKfkUVwjaz7Xi5IJfLEbhjiYUiE3Uyup0Gm97IgqifcFKb+Qnf2gy2bEpiR2Wdv3Jq7JYqB6SLARxA11ybkWMB8fXztcvwgLo4xnq2khxKtOfvlgGCbvXAXIbkJ89xzDXCfMcNxQEx+kIZo9ztUEnQ9os9KVdjD7CcghPpVZrh4eSJAYMdmqNf5ZT7mLqByoEhxSxsc9nc36sxGmQSWCVS+K8iExO1

Decoded:

{REPEAT}{pub_key=BgIAAACkAABSU0ExAAgAAAEAAQCb6NRjtFGttTFLXobWpTlJmUfIv/hRNSJH5YN4t1dFW+NARNmgwRTmjS+dN9zAib2zGk6DD49xB9RuymaBZEGEzUtyJ417rBtVk+wyb9LHovt8OAHcKfDGDXTyC12JysHtUKj4iSVL48BQ4NHaFtkG9wevPqVRa2u60xlo63X73kpj5aGYc7VPCBs43+8AVIOaIBYs37dLXOu62CQ5Flgd+xnnIw8hbfTCaZ3J+X8SRC9LPhNUB/iG2lprlUh0k2RmN6+vwqYLFshLCSaoKinKhy8j1bt+o4+Oz1xFdGy1H8PDdzhM20xh175s7+JTfUvjJYvL2+KjE4qiwX88FZjF}{mask=LjFjZCwgLjNkbSwgLjNkcywgLjNmciwgLjNnMiwgLjNncCwgLjNwciwgLjd6LCAuN3ppcCwgLmFhYywgLmFiNCwgLmFiZCwgLmFjYywgLmFjY2RiLCAuYWNjZGUsIC5hY2NkciwgLmFjY2R0LCAuYWNoLCAuYWNyLCAuYWN0LCAuYWRiLCAuYWRwLCAuYWRzLCAuYWdkbCwgLmFpLCAuYWlmZiwgLmFpdCwgLmFsLCAuYW9pLCAuYXBqLCAuYXBrLCAuYXJ3LCAuYXNjeCwgLmFzZiwgLmFzbSwgLmFzcCwgLmFzcHgsIC5hc3NldCwgLmFzeCwgLmF0YiwgLmF2aSwgLmF3ZywgLmJhY2ssIC5iYWNrdXAsIC5iYWNrdXBkYiwgLmJhaywgLmJhbmssIC5iYXksIC5iZGIsIC5iZ3QsIC5iaWssIC5iaW4sIC5ia3AsIC5ibGVuZCwgLmJtcCwgLmJwdywgLmJzYSwgLmMsIC5jYXNoLCAuY2RiLCAuY2RmLCAuY2RyLCAuY2RyMywgLmNkcjQsIC5jZHI1LCAuY2RyNiwgLmNkcncsIC5jZHgsIC5jZTEsIC5jZTIsIC5jZXIsIC5jZmcsIC5jZm4sIC5jZ20sIC5jaWIsIC5jbGFzcywgLmNscywgLmNtdCwgLmNvbmZpZywgLmNvbnRhY3QsIC5jcGksIC5jcHAsIC5jcjIsIC5jcmF3LCAuY3J0LCAuY3J3LCAuY3J5LCAuY3MsIC5jc2gsIC5jc2wsIC5jc3MsIC5jc3YsIC5kM2Ric3AsIC5kYWMsIC5kYXMsIC5kYXQsIC5kYiwgLmRiX2pvdXJuYWwsIC5kYjMsIC5kYmYsIC5kYngsIC5kYzIsIC5kY3IsIC5kY3MsIC5kZGQsIC5kZG9jLCAuZGRydywgLmRkcywgLmRlZiwgLmRlciwgLmRlcywgLmRlc2lnbiwgLmRnYywgLmRnbiwgLmRpdCwgLmRqdnUsIC5kbmcsIC5kb2MsIC5kb2NtLCAuZG9jeCwgLmRvdCwgLmRvdG0sIC5kb3R4LCAuZHJmLCAuZHJ3LCAuZHRkLCAuZHdnLCAuZHhiLCAuZHhmLCAuZHhnLCAuZWRiLCAuZW1sLCAuZXBzLCAuZXJic3FsLCAuZXJmLCAuZXhmLCAuZmRiLCAuZmZkLCAuZmZmLCAuZmgsIC5maGQsIC5mbGEsIC5mbGFjLCAuZmxiLCAuZmxmLCAuZmx2LCAuZmx2diwgLmZvcmdlLCAuZnB4LCAuZnhnLCAuZ2JyLCAuZ2hvLCAuZ2lmLCAuZ3JheSwgLmdyZXksIC5ncm91cHMsIC5ncnksIC5oLCAuaGJrLCAuaGRkLCAuaHBwLCAuaHRtbCwgLmliYW5rLCAuaWJkLCAuaWJ6LCAuaWR4LCAuaWlmLCAuaWlxLCAuaW5jcGFzLCAuaW5kZCwgLmluZm8sIC5pbmZvXywgLmluaSwgLml3aSwgLmphciwgLmphdmEsIC5qbnQsIC5qcGUsIC5qcGVnLCAuanBnLCAuanMsIC5qc29uLCAuazJwLCAua2MyLCAua2RieCwgLmtkYywgLmtleSwgLmtwZHgsIC5rd20sIC5sYWNjZGIsIC5sYmYsIC5sY2ssIC5sZGYsIC5saXQsIC5saXRlbW9kLCAubGl0ZXNxbCwgLmxvY2ssIC5sb2csIC5sdHgsIC5sdWEsIC5tLCAubTJ0cywgLm0zdSwgLm00YSwgLm00cCwgLm00diwgLm1hLCAubWFiLCAubWFwaW1haWwsIC5tYXgsIC5tYngsIC5tZCwgLm1kYiwgLm1kYywgLm1kZiwgLm1lZiwgLm1mdywgLm1pZCwgLm1rdiwgLm1sYiwgLm1tdywgLm1ueSwgLm1vbmV5LCAubW9uZXl3ZWxsLCAubW9zLCAubW92LCAubXAzLCAubXA0LCAubXBlZywgLm1wZywgLm1ydywgLm1zZiwgLm1zZywgLm15ZCwgLm5kLCAubmRkLCAubmRmLCAubmVmLCAubmsyLCAubm9wLCAubnJ3LCAubnMyLCAubnMzLCAubnM0LCAubnNkLCAubnNmLCAubnNnLCAubnNoLCAubnZyYW0sIC5ud2IsIC5ueDIsIC5ueGwsIC5ueWYsIC5vYWIsIC5vYmosIC5vZGIsIC5vZGMsIC5vZGYsIC5vZGcsIC5vZG0sIC5vZHAsIC5vZHMsIC5vZHQsIC5vZ2csIC5vaWwsIC5vbWcsIC5vbmUsIC5vcmYsIC5vc3QsIC5vdGcsIC5vdGgsIC5vdHAsIC5vdHMsIC5vdHQsIC5wMTIsIC5wN2IsIC5wN2MsIC5wYWIsIC5wYWdlcywgLnBhcywgLnBhdCwgLnBiZiwgLnBjZCwgLnBjdCwgLnBkYiwgLnBkZCwgLnBkZiwgLnBlZiwgLnBlbSwgLnBmeCwgLnBocCwgLnBpZiwgLnBsLCAucGxjLCAucGx1c19tdWhkLCAucG0hLCAucG0sIC5wbWksIC5wbWosIC5wbWwsIC5wbW0sIC5wbW8sIC5wbXIsIC5wbmMsIC5wbmQsIC5wbmcsIC5wbngsIC5wb3QsIC5wb3RtLCAucG90eCwgLnBwYW0sIC5wcHMsIC5wcHNtLCAucHBzeCwucHB0LCAucHB0bSwgLnBwdHgsIC5wcmYsIC5wcml2YXRlLCAucHMsIC5wc2FmZTMsIC5wc2QsIC5wc3BpbWFnZSwgLnBzdCwgLnB0eCwgLnB1YiwgLnB3bSwgLnB5LCAucWJhLCAucWJiLCAucWJtLCAucWJyLCAucWJ3LCAucWJ4LCAucWJ5LCAucWNvdywgLnFjb3cyLCAucWVkLCAucXRiLCAucjNkLCAucmFmLCAucmFyLCAucmF0LCAucmF3LCAucmRiLCAucmU0LCAucm0sIC5ydGYsIC5ydnQsIC5ydzIsIC5yd2wsIC5yd3osIC5zM2RiLCAuc2FmZSwgLnNhczdiZGF0LCAuc2F2LCAuc2F2ZSwgLnNheSwgLnNkMCwgLnNkYSwgLnNkYiwgLnNkZiwgLnNoLCAuc2xkbSwgLnNsZHgsIC5zbG0sIC5zcWwsIC5zcWxpdGUsIC5zcWxpdGUzLCAuc3FsaXRlZGIsIC5zcWxpdGUtc2htLCAuc3FsaXRlLXdhbCwgLnNyMiwgLnNyYiwgLnNyZiwgLnNycywgLnNydCwgLnNydywgLnN0NCwgLnN0NSwgLnN0NiwgLnN0NywgLnN0OCwgLnN0YywgLnN0ZCwgLnN0aSwgLnN0bCwgLnN0bSwgLnN0dywgLnN0eCwgLnN2ZywgLnN3ZiwgLnN4YywgLnN4ZCwgLnN4ZywgLnN4aSwgLnN4bSwgLnN4dywgLnRheCwgLnRiYiwgLnRiaywgLnRibiwgLnRleCwgLnRnYSwgLnRobSwgLnRpZiwgLnRpZmYsIC50bGcsIC50bHgsIC50eHQsIC51cGssIC51c3IsIC52Ym94LCAudmRpLCAudmhkLCAudmhkeCwgLnZtZGssIC52bXNkLCAudm14LCAudm14ZiwgLnZvYiwgLnZwZCwgLnZzZCwgLndhYiwgLndhZCwgLndhbGxldCwgLndhciwgLndhdiwgLndiMiwgLndtYSwgLndtZiwgLndtdiwgLndwZCwgLndwcywgLngxMSwgLngzZiwgLnhpcywgLnhsYSwgLnhsYW0sIC54bGssIC54bG0sIC54bHIsIC54bHMsIC54bHNiLCAueGxzbSwgLnhsc3gsIC54bHQsIC54bHRtLCAueGx0eCwgLnhsdywgLnhtbCwgLnhwcywgLnh4eCwgLnljYmNyYSwgLnl1diwgLnppcA==}

This response includes an RSA public key in Microsoft BLOB format on top of a list of file extensions: \x06\x02\x00\x00\x00\xa4\x00\x00RSA1\x00\x08\x00\x00\x01\x00\x01\x00\x9b\xe8\xd4c\xb4Q\xad\xb51K^\x86\xd6\xa59I\x99G\xc8\xbf\xf8Q5"G\xe5\x83x\xb7WE[\xe3@D\xd9\xa0\xc1\x14\xe6\x8d/\x9d7\xdc\xc0\x89\xbd\xb3\x1aN\x83\x0f\x8fq\x07\xd4n\xcaf\x81dA\x84\xcdKr\'\x8d{\xac\x1bU\x93\xec2o\xd2\xc7\xa2\xfb|8\x01\xdc)\xf0\xc6\rt\xf2\x0b]\x89\xca\xc1\xedP\xa8\xf8\x89%K\xe3\xc0P\xe0\xd1\xda\x16\xd9\x06\xf7\x07\xaf>\xa5Qkk\xba\xd3\x19h\xebu\xfb\xdeJc\xe5\xa1\x98s\xb5O\x08\x1b8\xdf\xef\x00T\x83\x9a \x16,\xdf\xb7K\\\xeb\xba\xd8$9\x16X\x1d\xfb\x19\xe7#\x0f!m\xf4\xc2i\x9d\xc9\xf9\x7f\x12D/K>\x13T\x07\xf8\x86\xdaZk\x95Ht\x93df7\xaf\xaf\xc2\xa6\x0b\x16\xc8K\t&\xa8*)\xca\x87/#\xd5\xbb~\xa3\x8f\x8e\xcf\\Etl\xb5\x1f\xc3\xc3w8L\xdbLa\xd7\xbel\xef\xe2S}K\xe3%\x8b\xcb\xdb\xe2\xa3\x13\x8a\xa2\xc1\x7f<\x15\x98\xc5\x99\xab$.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip

The second C2 session appears to be informing the C2 on the number of encrypted files.

Request data 2:

data=mdU+mIEkDgfqAIOO+CE6OIMj4I4KH7R1B4Gz5B/kfHeve0qnMlZCiTfpjFRL3mRkVFp9ni9m43rGbQRqp6Hd8P6/u0uPEQXxpf+OwbomcCda76DKPbK1MHfmYYPYGBPuUXpcpvqK1M7HQi8qNrC8k8Cx2eo+izu0dVM6nFaMIVBiJ2ICLYqm5ln7zRKCVzSK3qIOAksRlfZKqaNPuw7dRfv/dZcj6az5YcvFu2Pq8IWglyDyP4auPG3nr0PFLsroTmWD1qvsNlX5Wg==

Decoded:

action=result&e_files=1126&e_size=30272761&e_time=12312&pc_group=WORKGROUP&ransom_id=6361f798c4ba3647

Response data 2:

g5oW5Q==1

Decoded:

{OK}

GandCrab ransom message

The ransom message is one of the few things in the unpacked bot that is stored protected.

GandCrab xor msg

However the data is unicode so finding this message would be trivial by looking for repeating byte patterns of the single byte XOR key.

GandCrab xord data

References:

  1. https://twitter.com/kafeine/status/958298409944920064
  2. https://twitter.com/nao_sec/status/956819846699696128
  3. https://app.any.run/tasks/08bcc1df-a53e-4240-a8a7-32d251da51cb
  4. https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid
  5. https://secrary.com/ReversingMalware/UnpackingGandCrab/
  6. https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
  7. https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm