PowerShell script for deobfuscating SeroXen batch files: <# .SYNOPSIS Uncloak-SeroXen .DESCRIPTION Use this script to deobfuscate Windows batch files that have been obfuscated with SeroXen, leaving the uncloaked version. WARNING: This script must be run in a sandbox! .EXAMPLE ./Uncloak-SeroXen obfuscated.bat deobfuscated.txt .NOTES Version: 1.0 Author: Peter Girnus (Zero Day Initiative) .LINK https://www.zerodayinitiative.com/ https://www.trendmicro.com/ #> param ( # Obfuscated batch file [Parameter(Mandatory = $true)] [ValidateScript({Test-Path $_ -PathType 'Leaf'})] [string]$InputFilePath, # Deobfuscated outpout file [Parameter(Mandatory = $true)] [string]$OutputFilePath ) #-----------------------------------------------------------[Functions]------------------------------------------------------------ function Run-SeroXenBatch { param ( [Parameter(Mandatory = $true)] [ValidateScript({Test-Path $_ -PathType 'Leaf'})] [string]$FilePath ) try { $process = Start-Process -FilePath $FilePath -PassThru -Wait if ($process.ExitCode -eq 0) { Write-Host "Successfully executed modified SeroXen file $FilePath." } else { Write-Host "Execution of modified SeroXen file $FilePath failed with exit code $($process.ExitCode)." } } catch { Write-Host "An error occurred while executing modified SeroXen file $FilePath." } } function Remove-CMDLines($InputFile, $OutputFile) { $pattern = '^[a-zA-Z]:\\[^>]*>' try { Write-Host "Successfully removed command prompt lines from $InputFile. Deobfuscated SeroXen available as $OutputFile." $content = Get-Content -Path $InputFile $updatedContent = foreach ($line in $content) { if ($line -match $pattern) { $line -replace $pattern, '' } else { $line } } $updatedContent | Set-Content -Path $OutputFile } catch { Write-Host "An error occurred while attempting to remove command prompt lines from $InputFile." } } function Run-CleanEnvironment($BatFile, $TxtFile) { try { Write-Host "Successfully cleaned Uncloak-SeroXen environment." # Delete the temporary batch file Remove-Item -Path $BatFile -Force # Delete the temporary output file Remove-Item -Path $TxtFile -Force } catch { Write-Host "Failed to cleanup Uncloak-SeroXen environment." } } function Modify-SeroXenBat { param ( [string]$FilePath ) # Read the contents of the batch file $batchContent = Get-Content $InputFilePath # Check if the first line contains "@echo off" using regex $firstLine = $batchContent[0] $echoOffRegex = "@echo off" if ($firstLine -match $echoOffRegex) { # Append the modification lines after "@echo off" $modifiedContent = $batchContent | ForEach-Object { $_ if ($_ -eq $firstLine) { 'set "tempFile=tmp.txt"' '(call :sub) > "%tempFile%"' 'exit /b' ':sub' } } } # Write the modified content to the new batch file $modifiedContent = $modifiedContent -replace "%@ech", "%REM @ech" $modifiedContent | Out-File -FilePath './tmp.bat' -Encoding UTF8 } #-----------------------------------------------------------[Execution]------------------------------------------------------------ # Run Modify-SeroXen Modify-SeroXenBat -FilePath $InputFilePath # Call the Run-SeroXenBatch function to execute the modified batch file Run-SeroXenBatch -FilePath './tmp.bat' # Remove CMD prompt lines. Remove-CMDLines -InputFile './tmp.txt' -OutputFile $OutputFilePath # Clean up the environment Run-CleanEnvironment -BatFile './tmp.bat' -TxtFile './tmp.txt'