{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Title: msticpy - Base64 Decoder\n", "## Description:\n", "This module allows you to extract base64 encoded content from a string or columns of a Pandas DataFrame.\n", "The library returns the following information:\n", "- decoded string (if decodable to utf-8 or utf-16)\n", "- hashes of the decoded segment (MD5, SHA1, SHA256)\n", "- string of printable byte values (e.g. for submission to a disassembler)\n", "- the detected decoded file type (limited)\n", "\n", "If the results of the decoding contain further encoded strings these will be decoded recursively. If the encoded string appears to be a zip, gzip or tar archive, the contents will be decompressed after decoding. In the case of zip and tar, the contents of the archive will also be checked for base64 encoded content and decoded/decompressed if possible.\n" ] }, { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "
\n", " | CommandLine | \n", "
---|---|
0 | \n", ".\\ftp -s:C:\\RECYCLER\\xxppyy.exe | \n", "
1 | \n", ".\\reg not /domain:everything that /sid:shines... | \n", "
2 | \n", "cmd /c \"systeminfo && systeminfo\" | \n", "
3 | \n", ".\\rundll32 /C 42424.exe | \n", "
4 | \n", ".\\rundll32 /C c:\\users\\MSTICAdmin\\42424.exe | \n", "
\n", " | reference | \n", "original_string | \n", "file_name | \n", "file_type | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "(, 1., 1) | \n", "JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAE... | \n", "unknown | \n", "None | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x0... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000... | \n", "utf-8 | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 's... | \n", "6cd1486db221e532cc2011c9beeb4ffc | \n", "6e485467d7e06502046b7c84a8ef067cfe1512ad | \n", "d3291dab1ae552b91e6b50d7460ceaa39f6f92b2cda433... | \n", "24 00 74 00 20 00 3d 00 20 00 27 00 64 00 69 0... | \n", "39 | \n", ".\\powershell -enc <decoded type='string' name... | \n", "
1 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9... | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 's... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb605... | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 6... | \n", "40 | \n", "cmd /c \"echo # <decoded value='binary' name=... | \n", "
2 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9... | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 's... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb605... | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 6... | \n", "41 | \n", "cmd /c \"echo # <decoded value='binary' name=... | \n", "
3 | \n", "(, 1., 1) | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "unknown | \n", "None | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce... | \n", "None | \n", "binary | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 's... | \n", "1c8cc6299bd654bbcd85710968d6a87c | \n", "55377391141f59a2ff5ae4765d9f0b4438adfd73 | \n", "fd80ceba7cfb49d296886c10d9a3497d63c89a589587cd... | \n", "f3 57 9d d3 77 1a 7f af 74 d5 ee 38 e1 ce f6 6... | \n", "44 | \n", "implant.exe <decoded value='binary' name='[N... | \n", "
\n", " | TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "Computer | \n", "SubjectUserSid | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectLogonId | \n", "NewProcessId | \n", "... | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SourceIndex | \n", "\n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " |
39 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:13.567 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x1684 | \n", "... | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x0... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000... | \n", "utf-8 | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 's... | \n", "6cd1486db221e532cc2011c9beeb4ffc | \n", "6e485467d7e06502046b7c84a8ef067cfe1512ad | \n", "d3291dab1ae552b91e6b50d7460ceaa39f6f92b2cda433... | \n", "24 00 74 00 20 00 3d 00 20 00 27 00 64 00 69 0... | \n", "39.0 | \n", ".\\powershell -enc <decoded type='string' name... | \n", "
40 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:13.683 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x16b8 | \n", "... | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9... | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 's... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb605... | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 6... | \n", "40.0 | \n", "cmd /c \"echo # <decoded value='binary' name=... | \n", "
41 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:13.793 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x16ec | \n", "... | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9... | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 's... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb605... | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 6... | \n", "41.0 | \n", "cmd /c \"echo # <decoded value='binary' name=... | \n", "
44 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:12.003 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x1250 | \n", "... | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce... | \n", "None | \n", "binary | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 's... | \n", "1c8cc6299bd654bbcd85710968d6a87c | \n", "55377391141f59a2ff5ae4765d9f0b4438adfd73 | \n", "fd80ceba7cfb49d296886c10d9a3497d63c89a589587cd... | \n", "f3 57 9d d3 77 1a 7f af 74 d5 ee 38 e1 ce f6 6... | \n", "44.0 | \n", "implant.exe <decoded value='binary' name='[N... | \n", "
4 rows × 36 columns
\n", "\n", " | reference | \n", "original_string | \n", "file_name | \n", "file_type | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "(, 1., 1) | \n", "JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAE... | \n", "unknown | \n", "None | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x0... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000... | \n", "utf-8 | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 's... | \n", "6cd1486db221e532cc2011c9beeb4ffc | \n", "6e485467d7e06502046b7c84a8ef067cfe1512ad | \n", "d3291dab1ae552b91e6b50d7460ceaa39f6f92b2cda433... | \n", "24 00 74 00 20 00 3d 00 20 00 27 00 64 00 69 0... | \n", "39 | \n", ".\\powershell -enc <decoded type='string' name... | \n", "
1 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9... | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 's... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb605... | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 6... | \n", "40 | \n", "cmd /c \"echo # <decoded value='binary' name=... | \n", "
2 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9... | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 's... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb605... | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 6... | \n", "41 | \n", "cmd /c \"echo # <decoded value='binary' name=... | \n", "
3 | \n", "(, 1., 1) | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "unknown | \n", "None | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce... | \n", "None | \n", "binary | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 's... | \n", "1c8cc6299bd654bbcd85710968d6a87c | \n", "55377391141f59a2ff5ae4765d9f0b4438adfd73 | \n", "fd80ceba7cfb49d296886c10d9a3497d63c89a589587cd... | \n", "f3 57 9d d3 77 1a 7f af 74 d5 ee 38 e1 ce f6 6... | \n", "44 | \n", "implant.exe <decoded value='binary' name='[N... | \n", "