Skip to content

Instantly share code, notes, and snippets.

@Neo23x0

Neo23x0/Base64_CheatSheet.md

Last active March 10, 2024 09:15
Show Gist options
  • Save Neo23x0/6af876ee72b51676c82a2db8d2cd3639 to your computer and use it in GitHub Desktop.
Save Neo23x0/6af876ee72b51676c82a2db8d2cd3639 to your computer and use it in GitHub Desktop.
Download ZIP
Learning Aid - Top Base64 Encodings Table
Raw
Base64_CheatSheet.md

Base64 Patterns - Learning Aid

Base64 Code Mnemonic Aid Decoded* Description
JAB ๐Ÿ—ฃ Jabber $. Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:
TVq ๐Ÿ“บ Television MZ MZ header
SUVY ๐Ÿš™ SUV IEX PowerShell Invoke Expression
SQBFAF ๐Ÿฃ Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH ๐Ÿฃ Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA ๐Ÿ’ช "Pah!" <. Often used by Emotet (UTF-16)
cwBhA ๐Ÿฆ Chewbaka s.a. Often used in malicious droppers (UTF-16) 'sal' instead of 'var'
aWV4 ๐Ÿ˜ฒ Awe version 4 iex PowerShell Invoke Expression
aQBlA ๐Ÿ’ฆ Aqua Blah (aquaplaning) i.e. PowerShell Invoke Expression (UTF-16)
R2V0 ๐Ÿค– R2D2 but version 0 Get Often used to obfuscate imports like GetCurrentThreadId
dmFy ๐Ÿ‘น defy / demonify var Variable declaration
dgBhA debugger + high availability v.a. Variable declaration (UTF-16)
dXNpbm Dixon problem usin Often found in compile after delivery attacks
H4sIA ๐Ÿš HForce (Helicopter Force) I agree gzip magic bytes (0x1f8b), e.g. echo 'test' | gzip -cf | base64
Y21k ๐ŸŽ† Year 21k bug cmd As used in cmd.exe /c wscript.exe or the like
IAB ๐Ÿฅฑ I am bored s wide lower case s, often something like sEt-iTem
cABhAH ๐Ÿ•‹ Kaaba p.a. wide formatted param
Qzpc ๐Ÿ–ฅ Quiz PC C:\ Root of Windows partition (upper case)
Yzpc ๐Ÿ–ฅ Yes PC c:\ Root of Windows partition (lower case)
UEs ๐Ÿฌ Upper East Side PK ZIP, Office documents
ey ๐Ÿ—ฃ Hey { ย Indicates JSON data

* the . stands for 0x00 found in UTF-16 encoded text

Often found patterns

Base64 Code Decoded Description
AAAAAAAAAAAA \x00\x00\x00\x00\x00\x00\x00\x00\x00 Sequence of binary zeros
//////////// \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF Sequence of 0xFF bytes
ICAgICAgICAg Sequence of space characters

Cyber Chef Recipe

https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJtCkg0c0lBRldXc2wwQUF5dEpMUzdoQWdER05iazdCUUFBQUE9PQ

References

Tweet

Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354

JAB

https://www.hybrid-analysis.com/sample/ce0415b6661ef66bbedb69896ad1ece9ee4e6dfde9925e9612aec7bbf1cb7bc5?environmentId=100

PAA

Emotet process command line https://app.any.run/tasks/dfba6d53-7a93-4d8b-86ba-4e737ad06b06/

cwBha

Explanation https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

Sample https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100

@rickhenderson
Copy link

This is amazing btw.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment