dridex-qbot-script-decoder

1. # dridex/qbot vbs decoder (#constunt)
2. # tested with scripts from:
3.  
4. # dridex
5. # https://app.any.run/tasks/c25c082c-7712-4e62-80f1-bdea4d1e6953/
6. # https://app.any.run/tasks/7d36a639-0b2a-41a2-8053-cfd703f8f115/
7.  
8. # qbot
9. # https://app.any.run/tasks/a7db0dc7-97e3-4dcb-b3f5-1be72c0de814/
10.  
11. # does not decode the EXE, just the other strings in the script
12. # v0.6 added generic identification of function/offset
13. # v0.7 changed decoder function name detection to include qbot, fix extra ) on cint/clng
14. # v0.8 added steps to remove redundant functions/const
15.  
16.  
17. cls
18.  
19. $raw_script = gc 'something_evil.vbs'
20.  
21. $entry = "([\w]*)\(array\("
22. $offset = "function ([\w]*)\(.*\)-([\d]{2})\)"
23. $rx_consts = "const (\w{1,2})=(\d{2,3}):"
24. $pairs = @()
25.  
26. # remove null functions
27. $null_func = "iF False ThEn :dim [\w]*:End iF:"
28. ($raw_script | Select-String -Pattern $null_func -AllMatches | % {$_.matches.value} | % {$raw_script = $raw_script -Replace $_, ''})
29.  
30. # get array name and decode offset
31. $arrayname = (($raw_script | Select-String -Pattern $entry | % {$_.matches}).groups[1]).value
32. $offset = [int](($raw_script | Select-String -Pattern $offset | % {$_.matches}).groups[2]).value
33.  
34.  
35. # extract code table
36. $raw_script | Select-String -Pattern $rx_consts -AllMatches | % {$_.matches} | % {$pairs += ($_.groups[1].value + " " + [char]($_.groups[2].value - $offset))}
37. $pairs = $pairs | sort
38.  
39. # remove const
40. $rx_consts2 = "const (\w{1,3})=(\d{2,3}):"
41. ($raw_script | Select-String -Pattern $rx_consts2 -AllMatches | % {$_.matches.value} | % {$raw_script = $raw_script -Replace $_, ''})
42.  
43. # find encoded blocks
44. $arrays = (($raw_script -split "\(array(\([a-z0-9,]*\))\)") -match "^\([a-z][0-9]?(,[a-z][0-9]?)*\)$" ) | sort -Unique -Descending
45.  
46. # decode
47.     $arrays | % {
48.  
49.         $to_Replace = $_
50.         $original = $_
51.  
52.         $pairs | % {
53.  
54.             $var1 = ($_[0,1] -replace ' ', '') -join ''
55.             $var2 = $_[-1]
56.  
57.             $to_Replace = $to_Replace -replace "\($var1\)", "($var2)"
58.             $to_Replace = $to_Replace -replace ",$var1\)", ",$var2 )"
59.  
60.         }
61.  
62.         $pairs | % {
63.  
64.             $var1 = ($_[0,1] -replace ' ', '') -join ''
65.             $var2 = $_[-1]
66.  
67.             $to_Replace = $to_Replace -replace "\($var1,", "($var2"
68.             $to_Replace = $to_Replace -replace "$var1,", "$var2"  
69.         }
70.  
71.         $raw_script = $raw_script.Replace($original, $to_Replace)
72.    }
73.  
74. # tidy up
75. $raw_script = $raw_script -replace "$arrayname\(array\([ ]*([^\)]*) *\)\)", '"$1"'
76. $raw_script = $raw_script -replace 'cint\("([\d)]*)[ ]*"\)', '$1'
77. $raw_script = $raw_script -replace 'clng\("([\d)]*)[ ]*"\)', '$1'
78.  
79. # remove more redundant functions
80. $redun_func = 'FuNCtiON [\w]*\(\) : dim [\w]* : [\w]*="[\w]* " : End FuNctiOn :'
81. ($raw_script | Select-String -Pattern $redun_func -AllMatches | % {$_.matches.value} | % {$raw_script = $raw_script.Replace($_, '')})
82.  
83. # split lines (needs work)
84. $raw_script = $raw_script.Replace(':',"`n")
85.  
86. $raw_script