1.2.4 Identifying Base64

You can identify a binary using base64 encoding by looking for a long string comprising the Base64 character set (alphanumeric characters,  + and /). The following screenshot shows the Base64 character set in the malicious binary, suggesting that malware probably uses Base64 encoding:

You can use the strings cross-references feature (covered in Chapter 5) to locate the code where the Base64 character set is being used, as shown in the following screenshot. Even though it is not necessary to know where the Base64 character set is used in the code to decode Base64 data, sometimes, locating it can be useful, such as in cases where malware authors use Base64 encoding along with other encryption algorithms. For instance, if malware encrypts the C2 network traffic with some encryption algorithm and then uses Base64 encoding; in that case, locating the Base64 character set will likely land you in the Base64 function. You can then analyze the Base64 function or identify the function that calls the Base64 function ( Using Xrefs to feature), which will probably lead you to the encryption function:

You can use string cross-references in x64dbg; to do this, make sure that the debugger is paused anywhere inside the module and then right-click on the disassembly window (CPU window) and select Search for | Current Module | String references.

Another method to detect the presence of the Base64 character set in the binary is using a YARA rule (YARA was covered in Chapter 2, Static Analysis) such as the one shown here:

rule base64
{
strings:
    $a="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    $b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
condition:
    $a or $b
}
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.132.214