Threat actors constantly evolve their obfuscation techniques to evade detection by security tools and analysts. One common technique is encoding payloads in Base64. However, simply decoding the Base64 string often reveals another layer of obfuscation—usually in the form of shellcode, which requires further analysis to uncover its true intent. In this post, we’ll explore why attackers use this method and how tools like CyberChef and scdbg can be used to analyze and reverse malicious shellcode.

Why Do Threat Actors Use Base64?

Base64 encoding is not inherently malicious; it’s widely used for data transmission, such as encoding binary files or authentication tokens. However, threat actors leverage Base64 encoding for several reasons:

• Evasion of Detection: Many security solutions rely on signature-based detection, and raw shellcode can be flagged by antivirus or endpoint detection and response (EDR) systems. Encoding the payload in Base64 helps bypass these mechanisms.
• Bypassing Content Filtering: Some systems block known malware signatures or executables but may allow encoded strings to pass through.
• Multi-Layer Obfuscation: Attackers often embed shellcode within multiple layers of encoding (Base64, XOR, AES, etc.), making it harder to analyze.

When you decode a Base64-encoded payload, the result is often not plain text but rather another layer of obfuscation—commonly shellcode that requires further analysis.

Extracting and Analyzing Shellcode

To properly analyze shellcode hidden within a Base64-encoded payload, we can use a combination of CyberChef and scdbg.

Step 1: Decode Base64 with CyberChef

CyberChef is an incredibly powerful tool for analyzing encoded or obfuscated data. Here’s how you can use it:

1. Copy the Base64-encoded payload.
2. Open CyberChef.
3. Drag the “From Base64” operation into the recipe.
4. If the output is further obfuscated (e.g., XOR-encoded or compressed), add the appropriate decryption steps (XOR Brute Force, Inflate, etc.).
5. Export the decoded binary payload for further analysis.

Step 2: Analyze Shellcode with scdbg

scdbg (Shellcode Debugger) is a useful tool for analyzing Windows shellcode by emulating its execution in a controlled environment.

To analyze the extracted shellcode:

1. Save the decoded payload as a raw binary file (e.g., malicious.bin).
2. Run scdbg to emulate execution:

   scdbg -f malicious.bin
   

3. Observe the output for indicators of compromise (IoCs), such as network connections, system API calls, or process injection techniques.

Step 3: Identify and Extract IoCs

By analyzing scdbg’s output, you can identify key behaviors, such as:

• C2 (Command & Control) Communication: Look for suspicious IP addresses or domains.
• Windows API Calls: Calls to VirtualAlloc, CreateProcess, or WinExec suggest potential malicious execution.
• Process Injection Techniques: If the shellcode attempts to inject into another process, it’s likely part of an advanced attack.

In the video below, see a demonstration of one of our team members uncovering shell code that was used in the Lockbit 3.0 Ransomware variant. 

Conclusion

Threat actors use Base64 encoding not just to hide their payloads but to add layers of obfuscation, making analysis more challenging. However, by leveraging CyberChef for decoding and scdbg for shellcode analysis, security analysts can efficiently reverse-engineer and detect malicious payloads. Understanding these techniques is crucial for strengthening your threat detection and response capabilities.