ion-storm/Base64_CheatSheet.md

Forked from Neo23x0/Base64_CheatSheet.md

Created October 25, 2019 20:15

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/ion-storm/6382a96463608cca83d57067e10849f4.js"></script>
Save ion-storm/6382a96463608cca83d57067e10849f4 to your computer and use it in GitHub Desktop.

Download ZIP

Learning Aid - Top Base64 Encodings Table

Raw

Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`UEs`	🏬 Upper East Side	`PK`	ZIP, Office documents
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)
`cwBhA`	🦁 Chewbaka	`s.a.`	Often used in malicious droppers (UTF-16) 'sal' instead of 'var'
`aWV4`	Awe version 4	`iex`	PowerShell Invoke Expression
`aQBlA`	💦 Aqua Blah (aquaplaning)	`i.e.`	PowerShell Invoke Expression (UTF-16)
`R2V0`	🤖 R2D2 but version 0	`Get`	Often used to obfuscate imports like GetCurrentThreadId
`dmFy`	👹 defy / demonify	`var`	Variable declaration
`dgBhA`	debugger + high availability	`v.a.`	Variable declaration (UTF-16)
`dXNpbm`	Dixon problem	`usin`	Often found in compile after delivery attacks
`H4sIA`	🚁 HForce (Helicopter Force) I agree		gzip magic bytes (0x1f8b), e.g. `echo 'test' \| gzip -cf \| base64`

* the . stands for 0x00

Cyber Chef Recipe

https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJtCkg0c0lBRldXc2wwQUF5dEpMUzdoQWdER05iazdCUUFBQUE9PQ

References

Tweet

Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354

JAB

https://www.hybrid-analysis.com/sample/ce0415b6661ef66bbedb69896ad1ece9ee4e6dfde9925e9612aec7bbf1cb7bc5?environmentId=100

PAA

Emotet process command line https://app.any.run/tasks/dfba6d53-7a93-4d8b-86ba-4e737ad06b06/

cwBha

Explanation https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/

Sample https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment