Base64 Patterns - Learning Aid
Base64 Code | Mnemonic Aid | Decoded* | Description |
---|---|---|---|
JAB |
$. |
Variable declaration (UTF-16) | |
TVq |
MZ |
MZ header | |
SUVY |
IEX |
PowerShell Invoke Expression | |
SQBFAF |
I.E. |
PowerShell Invoke Expression (UTF-16) | |
SQBuAH |
I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
|
PAA |
<. |
Often used by Emotet (UTF-16) | |
cwBhA |
s.a. |
Often used in malicious droppers (UTF-16) 'sal' instead of 'var' | |
aWV4 |
iex |
PowerShell Invoke Expression | |
aQBlA |
i.e. |
PowerShell Invoke Expression (UTF-16) | |
R2V0 |
Get |
Often used to obfuscate imports like GetCurrentThreadId | |
dmFy |
var |
Variable declaration | |
dgBhA |
debugger + high availability | v.a. |
Variable declaration (UTF-16) |
dXNpbm |
Dixon problem | usin |
Often found in compile after delivery attacks |
H4sIA |
gzip magic bytes (0x1f8b), e.g. echo 'test' | gzip -cf | base64 |
||
Y21k |
cmd |
As used in cmd.exe /c wscript.exe or the like |
|
IAB |
s |
wide lower case s , often something like sEt-iTem |
|
cABhAH |
p.a. |
wide formatted param |
|
Qzpc |
C:\ |
Root of Windows partition (upper case) | |
Yzpc |
c:\ |
Root of Windows partition (lower case) | |
UEs |
PK |
ZIP, Office documents | |
ey |
{ |
Indicates JSON data |
* the .
stands for 0x00
found in UTF-16 encoded text
Often found patterns
Base64 Code | Decoded | Description |
---|---|---|
AAAAAAAAAAAA |
\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
Sequence of binary zeros |
//////////// |
\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF |
Sequence of 0xFF bytes |
ICAgICAgICAg |
|
Sequence of space characters |
Cyber Chef Recipe
References
Tweet
Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354
JAB
PAA
Emotet process command line https://app.any.run/tasks/dfba6d53-7a93-4d8b-86ba-4e737ad06b06/
cwBha
Explanation https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/
should MITRE ATT4CK be changed to MITRE ATT&CK? Very nice list though. Danke