unsapien is a Python script developed in order to extract scripts, files and configuration from executables created by SAPIEN Script Packager available in products such as:
Script has been initially created in order to quickly extract and triage PowerShell scripts from a large number of (potentially malicious) executables found on VirusTotal.
This script needs Python 2.7.x and has been tested on macOS High Sierra and Ubuntu 17.10. Following additional Python modules are needed:
- construct (>=2.9)
usage: unsapien.py [-h] [-v] [-d directory] file
Extracts embedded scripts, files and configuration from binaries generated by
SAPIEN Script Packager (available e.g. in PowerShell Studio or PrimalScript)
file Input file
-h, --help show this help message and exit
-v, --verbose Enable verbose output
-d directory, --dump directory
Dump files to specified directory
Script is based solely on data obtained from analysis performed on limited number of executables found on VirusTotal and may not work with all versions of SAPIEN Script Packager.