Skip to content

Instantly share code, notes, and snippets.

Last active March 10, 2024 09:15
Show Gist options
  • Save Neo23x0/6af876ee72b51676c82a2db8d2cd3639 to your computer and use it in GitHub Desktop.
Save Neo23x0/6af876ee72b51676c82a2db8d2cd3639 to your computer and use it in GitHub Desktop.
Learning Aid - Top Base64 Encodings Table

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB ๐Ÿ—ฃ Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq ๐Ÿ“บ Television MZ MZ header
SUVY ๐Ÿš™ SUV IEX PowerShell Invoke Expression
SQBFAF ๐Ÿฃ Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH ๐Ÿฃ Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA ๐Ÿ’ช "Pah!" <. Often used by Emotet (UTF-16)
cwBhA ๐Ÿฆ Chewbaka s.a. Often used in malicious droppers (UTF-16) 'sal' instead of 'var'
aWV4 ๐Ÿ˜ฒ Awe version 4 iex PowerShell Invoke Expression
aQBlA ๐Ÿ’ฆ Aqua Blah (aquaplaning) i.e. PowerShell Invoke Expression (UTF-16)
R2V0 ๐Ÿค– R2D2 but version 0 Get Often used to obfuscate imports like GetCurrentThreadId
dmFy ๐Ÿ‘น defy / demonify var Variable declaration
dgBhA debugger + high availability v.a. Variable declaration (UTF-16)
dXNpbm Dixon problem usin Often found in compile after delivery attacks
H4sIA ๐Ÿš HForce (Helicopter Force) I agree gzip magic bytes (0x1f8b), e.g. echo 'test' | gzip -cf | base64
Y21k ๐ŸŽ† Year 21k bug cmd As used in cmd.exe /c wscript.exe or the like
IAB ๐Ÿฅฑ I am bored s wide lower case s, often something like sEt-iTem
cABhAH ๐Ÿ•‹ Kaaba p.a. wide formatted param
Qzpc ๐Ÿ–ฅ Quiz PC C:\ Root of Windows partition (upper case)
Yzpc ๐Ÿ–ฅ Yes PC c:\ Root of Windows partition (lower case)
UEs ๐Ÿฌ Upper East Side PK ZIP, Office documents
ey ๐Ÿ—ฃ Hey { ย Indicates JSON data

* the . stands for 0x00 found in UTF-16 encoded text

Often found patterns

Base64 Code Decoded Description
AAAAAAAAAAAA \x00\x00\x00\x00\x00\x00\x00\x00\x00 Sequence of binary zeros
//////////// \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF Sequence of 0xFF bytes
ICAgICAgICAg Sequence of space characters

Cyber Chef Recipe'%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJtCkg0c0lBRldXc2wwQUF5dEpMUzdoQWdER05iazdCUUFBQUE9PQ



Tweet and Thread



Emotet process command line




Copy link

srcr commented Oct 15, 2020

should MITRE ATT4CK be changed to MITRE ATT&CK? Very nice list though. Danke

Copy link

Neo23x0 commented Oct 15, 2020

I'll remove the MITRE reference completely. Don't want that anyone tells me that it lacks a (r) character.

Copy link

ohader commented Mar 9, 2022

Please add YTo and Tzo, start of a serialized array and object in PHP (a: and O:), good indicator when searching for insecure deserialization vulns. PoC at

Copy link

Please mention that these encodings only hold at the start of the encoded string and will not work consistently at other positions. Most people aren't aware of the 3 byte chunks used to encode base64 and the 3 encodings repetition you get by shifting one byte at a time. Also IAB decodes to 0x20 0x00 not 0x73 0x00.
Here's an example of determining the consistent subset of an encoded string at the 3 offsets. (wide "s" used)'%5C%5Cn','%5C%5Cn',false)From_Hex('Auto')To_Base64('A-Za-z0-9%2B/%3D')&input=NzMgMDAgMDAgMDAKNzMgMDAgNzcgNzcKNzMgMDAgRkYgRkYKMDAgNzMgMDAgMDAgMDAKNzcgNzMgMDAgNzcgNzcKRkYgNzMgMDAgRkYgRkYKMDAgMDAgNzMgMDAgMDAgMDAgMDAKNzcgNzcgNzMgMDAgNzcgNzcgNzcKRkYgRkYgNzMgMDAgRkYgRkYgRkYKMDAgMDAgMDAgNzMgMDAgMDAgMDAgMDAKNzcgNzcgNzcgNzMgMDAgNzcgNzcgNzcKRkYgRkYgRkYgNzMgMDAgRkYgRkYgRkYKMDAgMDAgMDAgMDAgNzMgMDAgMDAgMDAgMDAKNzcgNzcgNzcgNzcgNzMgMDAgNzcgNzcgNzcKRkZGRiBGRiBGRiA3MyAwMCBGRiBGRiBGRgoK
Unless you're only checking the start of a buffer you'll need to trim a bit off the front and back to safely detect the consistent substring of what you're looking for. From the example of wide "s" you have cw, MA, zA. I added extra shifts in Cyberchef to illustrate the cycle and how the pattern comes back every 3rd byte.

Copy link

Very cool gist! It occured to me: ey misses a quote after the brace: {". And any idea for aHR0cHM6Ly8= (https://)?

Copy link

This is amazing btw.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment