Today I looked a bit closer at the response sent from chromeupdatecenter.com to the request of the malware. The malware connects to Port 8080, most likely because the “malware webservice” runs on another HTTP server instance (the headers state nginx, while the main page is supposedly running Apache on a Ubuntu server). I figured out that the first 22152 bytes contains a bitmap. This bitmap is later on saved to the users temporary path (on Windows 7 to C:\Users\$USERNAME\AppData\Local\Temp\32239.bmp).
The image length also matches the header “ACC”, which states 22152. Although, the length of a bitmap is also available from its header, which would make the server code a bit easier, maybe something for their next version 😉
However, after the bitmap, there are still 493 bytes left. This should be either the encryption key or the message in the AlertEncryptor.txt files….