Skip to content

Instantly share code, notes, and snippets.

@duaneking

duaneking/Base64_CheatSheet.md

Forked from Neo23x0/Base64_CheatSheet.md
Created March 8, 2022 20:32
Show Gist options
  • Save duaneking/3dd40d0921cc9cbe5a0f2057ca86b78b to your computer and use it in GitHub Desktop.
Save duaneking/3dd40d0921cc9cbe5a0f2057ca86b78b to your computer and use it in GitHub Desktop.
Download ZIP
Learning Aid - Top Base64 Encodings Table
Raw
Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

MITRE ATT4CK - T1132 - Data Encoding

Base64 Code Mnemonic Decoded* Description
JAB Jabber πŸ—£ $. Variable declaration (UTF-16)
TVq Television πŸ“Ί MZ MZ header
UEs Upper East Side 🏬 PK ZIP, Office documents
SUVY SUV πŸš™ IEX PowerShell Invoke Expression
SQBFAF Squab 🐣 favorite I.E. PowerShell Invoke Expression (UTF-16)
PAA "Pah!" πŸ’ͺ <. Often used by Emotet (UTF-16)
cwBhA Chewbaka 🦁 s.a. Often used in malicious droppers (UTF-16) 'sal' instead of 'var'
aWV4 Awe version 4 iex PowerShell Invoke Expression
aQBlA Aqua Blah (aquaplaning) πŸ’¦ i.e. PowerShell Invoke Expression (UTF-16)
R2V0 R2D2 πŸ€– but version 0 Get Often used to obfuscate imports like GetCurrentThreadId
dmFy defy / demonify πŸ‘Ή var Variable declaration
dgBhA debugger + high availability v.a. Variable declaration (UTF-16)
dXNpbm Dixon problem usin Often found in compile after delivery attacks

* the . stands for 0x00

Cyber Chef Recipe

https://gchq.github.io/CyberChef/#recipe=Fork('%5C%5Cn','%5C%5Cn',false)From_Base64('A-Za-z0-9%2B/%3D',true)&input=SkFCClRWcQpQQUEKU1VWWQpTUUJGQUYKYVdWNAphUUJsQQpSMlYwCmRtRnkKZGdCaEEKY3dCaEEKZFhOcGJt

References

Tweet

Tweet and Thread https://twitter.com/cyb3rops/status/1187341941794660354

cwBha

https://www.hybrid-analysis.com/sample/b744129bfe54de8b36d7556ddfcc55d0be213129041aacf52b7d2f57012caa60?environmentId=100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment