ashr/Base64_CheatSheet.md

Forked from Neo23x0/Base64_CheatSheet.md

Created October 24, 2019 21:31

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/ashr/0f78cf527726f8c9b05211d624da59b3.js"></script>
Save ashr/0f78cf527726f8c9b05211d624da59b3 to your computer and use it in GitHub Desktop.

Download ZIP

Spot Malicious Base64 Encoded Code

Raw

Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code	Decoded (. = 0x00)	Description	MITRE ID
JAB	$.	Variable declaration (UTF-16)	T1086
TVq	MZ	MZ header	T1001
UEs	PK	ZIP, Office documents	T1001
SUVY	IEX	PowerShell Invoke Expression	T1086
SQBFAF	I.E.	PowerShell Invoke Expression (UTF-16)	T1086
PAA	<.	Often used in Emotet command lines (UTF-16)	T1086
cwBhA	s.a.	Often used in malicious droppers (UTF-16) 'sal' instead of 'var'	T1086
aWV4	iex	PowerShell Invoke Expression	T1086
aQBlA	i.e.	PowerShell Invoke Expression (UTF-16)	T1086
R2V0	Get	Often used to obfuscate imports like GetCurrentThreadId	T1001
dmFy	var	Variable declaration	T1064
dgBhA	v.a.	Variable declaration (UTF-16)	T1064
dXNpbm	usin	Often found in compile after delivery attacks	T1500

Cyber Chef Recipe

https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJt

References

Tweet

Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354

cwBha

https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment