You can identify a binary using base64 encoding by looking for a long string comprising the Base64 character set (alphanumeric characters, + and /). The following screenshot shows the Base64 character set in the malicious binary, suggesting that malware probably uses Base64 encoding:
You can use the strings cross-references feature (covered in Chapter 5) to locate the code where the Base64 character set is being used, as shown in the following screenshot. Even though it is not necessary to know where the Base64 character set is used in the code to decode Base64 data, sometimes, locating it can be useful, such as in cases where malware authors use Base64 encoding along with other encryption algorithms. For instance, if malware encrypts the C2 network traffic with some encryption algorithm and then uses Base64 encoding; in that case, locating the Base64 character set will likely land you in the Base64 function. You can then analyze the Base64 function or identify the function that calls the Base64 function ( Using Xrefs to feature), which will probably lead you to the encryption function:
Another method to detect the presence of the Base64 character set in the binary is using a YARA rule (YARA was covered in Chapter 2, Static Analysis) such as the one shown here:
rule base64
{
strings:
$a="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
condition:
$a or $b
}