unsapien is a Python script developed in order to extract scripts, files and configuration from executables created by SAPIEN Script Packager available in products such as:
Script has been initially created in order to quickly extract and triage PowerShell scripts from a large number of (potentially malicious) executables found on VirusTotal.
This script needs Python 2.7.x and has been tested on macOS High Sierra and Ubuntu 17.10. Following additional Python modules are needed:
- construct (>=2.9)
usage: unsapien.py [-h] [-v] [-d directory] file Extracts embedded scripts, files and configuration from binaries generated by SAPIEN Script Packager (available e.g. in PowerShell Studio or PrimalScript) positional arguments: file Input file optional arguments: -h, --help show this help message and exit -v, --verbose Enable verbose output -d directory, --dump directory Dump files to specified directory
Script is based solely on data obtained from analysis performed on limited number of executables found on VirusTotal and may not work with all versions of SAPIEN Script Packager.