It seems communication with the C&C are Rc4 encoded (key seems to be alphanum sorted path of the POST and using i2p protocol :://proxy2-2.i2p/p1256nl9su84v HTTP/1.1Accept: application/x-www-form-urlencoded.Pragma: no-cache.User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;.NET 4.0.0E;.NET CLR 2.50727)”]
Source: https://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html