• caglararli@hotmail.com
  • 05386281520

How do I decode/decompress a DNS exfiltration attempt?

Çağlar Arlı      -    46 Views
17Mar

How do I decode/decompress a DNS exfiltration attempt?

I'm analysing a DNS exfiltration attempt and I'm having trouble decoding/decompressing what data was being attempted to exfiltrate. (the information is not confidential)

The DNS queries are as follows:

b'H4sICN3l1GUAA3Bhc3N3ZACNV9tyozgQfc9X8AFxYcBXvU1N3jbJZjdT*-.zolg2JUBolIwpf5*u1ugQ1Bu54CE0l9TqulPmqI0dqxM5vDZbAZ*2drTb-.yTKv5ly4eCi1orACVwdR0CWEDcWrHSld5L9YCjZ5bCRfYwyF4sgDK4sBU-.X4hgEqRxQC7ZaLrMFo27cO42x*7DntUBPS7aaM98hP4PmyGXNMbgVS1KG-.passwd.'
b'H4sICN3l1GUAA3Bhc3N3ZACNV9tyozgQfc9X8AFxYcBXvU1N3jbJZjdT*-.zolg2JUBolIwpf5*u1ugQ1Bu54CE0l9TqulPmqI0dqxM5vDZbAZ*2drTb-.yTKv5ly4eCi1orACVwdR0CWEDcWrHSld5L9YCjZ5bCRfYwyF4sgDK4sBU-.X4hgEqRxQC7ZaLrMFo27cO42x*7DntUBPS7aaM98hP4PmyGXNMbgVS1KG-.passwd.'
b'zfjITZzzvBQxdSf4qgH4Gi5oENg2Wldx1RRB57IC*AYuahLBtyZYJU4Y9-.xYuag6c*/6E0bY5BpPM8abOgOP7E05j9PmCpAxv3/uPjJxOp1nBHce0ZH-.hfB2ga6IVyzfNDi1FBeuDuukTw7dBCKmlRc9kG7xfYHqn20TMMRi9c8b0-.w3gHBpmxpUBPZFm9oQx5Mq2LfmoB/8ganWqSdhBhYlDiDZ6FCzpXe6QI3-.passwd.'
b'zfjITZzzvBQxdSf4qgH4Gi5oENg2Wldx1RRB57IC*AYuahLBtyZYJU4Y9-.xYuag6c*/6E0bY5BpPM8abOgOP7E05j9PmCpAxv3/uPjJxOp1nBHce0ZH-.hfB2ga6IVyzfNDi1FBeuDuukTw7dBCKmlRc9kG7xfYHqn20TMMRi9c8b0-.w3gHBpmxpUBPZFm9oQx5Mq2LfmoB/8ganWqSdhBhYlDiDZ6FCzpXe6QI3-.passwd.'
b'zMP9sxu8QwUdO1EXMyXcSZsD5na7oV9niV69pVtlTW7*x5GTIGF/ArbbN-.f16Tz/AFL2DrTRayV/cSTyTIUUKa2GuXWtJOSid9d1NcNaj4bzPt*zH20-.tk9Yc7cSMi6yCrj4*PfYZ2sWtqfxw/eGXFg3UQ0d6e6Jgl89u*9/gBIDB-.z3hRt7VUOigWd34u1tbu6PRNhwRYr5vuRL1OjQDtkYL9tWZCD5TVYVBQN-.passwd.'
b'zMP9sxu8QwUdO1EXMyXcSZsD5na7oV9niV69pVtlTW7*x5GTIGF/ArbbN-.f16Tz/AFL2DrTRayV/cSTyTIUUKa2GuXWtJOSid9d1NcNaj4bzPt*zH20-.tk9Yc7cSMi6yCrj4*PfYZ2sWtqfxw/eGXFg3UQ0d6e6Jgl89u*9/gBIDB-.z3hRt7VUOigWd34u1tbu6PRNhwRYr5vuRL1OjQDtkYL9tWZCD5TVYVBQN-.passwd.'
b'T9GFsjW3n0RYdYRubDRdLW0eoPMjLyWR17C*lH3DflQ/vb4PY8b5CTn7W-.m9vUTdC5OWskLbhDuqXIacblm7ZO5mip6vp6nNKGqSuaeFJXrYQ2oK9Yf-.9bW0j9NTSPDB3sfemKGn1glUpW7BlHKJKKX74e713cE4YC4kpQOhKQX7I-.ZKocsgRqnq4N0BR2TFf38yD3pGIegM6UhSbbsb8ErPHN/SEcrhWoZymAO-.passwd.'
b'T9GFsjW3n0RYdYRubDRdLW0eoPMjLyWR17C*lH3DflQ/vb4PY8b5CTn7W-.m9vUTdC5OWskLbhDuqXIacblm7ZO5mip6vp6nNKGqSuaeFJXrYQ2oK9Yf-.9bW0j9NTSPDB3sfemKGn1glUpW7BlHKJKKX74e713cE4YC4kpQOhKQX7I-.ZKocsgRqnq4N0BR2TFf38yD3pGIegM6UhSbbsb8ErPHN/SEcrhWoZymAO-.passwd.'
b'f42PECSazpkfiPBPa6L6erhDIuzIgcJTz3Qj1LGhcwO7n6QJ6wpGt23Rn-.wD45*115LAjxVgJdLCiece5VkrkfrlLcJ6GnH/3oKipWqCO5hmjQ5XmYj-.8rco8v1wV7ubz/9Ry9C3Ps9DdKxrBgtDBptaD0LenXDUUWyDKHokNVL*J-.5rlskY0yk5p4aqPumySmY9ehMwyigQvu/FzqvWpI/iC5JVwPh9bYp60ns-.passwd.'
b'f42PECSazpkfiPBPa6L6erhDIuzIgcJTz3Qj1LGhcwO7n6QJ6wpGt23Rn-.wD45*115LAjxVgJdLCiece5VkrkfrlLcJ6GnH/3oKipWqCO5hmjQ5XmYj-.8rco8v1wV7ubz/9Ry9C3Ps9DdKxrBgtDBptaD0LenXDUUWyDKHokNVL*J-.5rlskY0yk5p4aqPumySmY9ehMwyigQvu/FzqvWpI/iC5JVwPh9bYp60ns-.passwd.'
b'JFczq3zNAhEl6XooWTQMF2urEoGgmiTd3H8bucYKWgeIIcmSuwQjCqvzA-.5VvSHGSpey2XVdjgHcqNUk6zUYF239boDW0x3vdlNL6BYFgR2W*twXe37-.qQijY6HRfczhCQloTQNTFWo/CQ1RkDBdJx59e0nryE1EdwFwQURmKAArL-.lAO8todJj3d4IT4LkZyv25odQ/LyopYJcGe60GZ2mngcnhtSx4/CdXWv7-.passwd.'
b'JFczq3zNAhEl6XooWTQMF2urEoGgmiTd3H8bucYKWgeIIcmSuwQjCqvzA-.5VvSHGSpey2XVdjgHcqNUk6zUYF239boDW0x3vdlNL6BYFgR2W*twXe37-.qQijY6HRfczhCQloTQNTFWo/CQ1RkDBdJx59e0nryE1EdwFwQURmKAArL-.lAO8todJj3d4IT4LkZyv25odQ/LyopYJcGe60GZ2mngcnhtSx4/CdXWv7-.passwd.'
b'2UrnaKUZKCQbVr*bNbCl8M1hJdXdDIWyHfB6Wyh/R08BoSwS9qWm8NB6D-.7zyLy/6koAHrarUtYjJNPq/4eeeV8JwmiL7ze*vsynoJAE0WfTCoMEp9l-.*x9bTVuwwAAA==-.passwd.'
b'2UrnaKUZKCQbVr*bNbCl8M1hJdXdDIWyHfB6Wyh/R08BoSwS9qWm8NB6D-.7zyLy/6koAHrarUtYjJNPq/4eeeV8JwmiL7ze*vsynoJAE0WfTCoMEp9l-.*x9bTVuwwAAA==-.passwd.'

Now I'm assuming this is base64 encoded and gzip compressed, because when I decode from base64 I see the first bytes of the file 0x1f (which points to gzip), however I am unable to decompress with gzip after decoding. Or perhaps I have my theory wrong. Any advice or pointers are very welcome!

Son Yazılar

Son Yorumlar

    Etiketler

    gunicorn msys2 requests