These are tools I developed for myself, code could be messy but most of the time it works. If they are useful or could help someone along the way, all the better.
Decodes obfuscated .bat files used by a new malware. These files use a simple character array substitution and empty variables obfuscation. This script extracts the original .bat script without executing it. The format of the obfuscated files is something like this:
ÿþ&@cls&@set "Ãç�¡=3aQBGDRprYNqscPt u7ZdkCWgLFhEjmobiy5I8OnvT1lw6M0X@AVJx9U24zKfHSe"
ÿþ&%Ãç�¡:~13,1%%Ãç�¡:~43,1%%¶i�Ãa³�%%Ãç�¡:~12,1%
%Ãç�¡:~49,1%%Ãç�¡:~63,1%%Ãç�¡:~13,1%%Ãç�¡:~27,1%%Ãç�¡:~31,1%%Ãç�¡:~16,1%%Ãç�¡:~31,1%%Ãç�¡:~60,1%%Ãç�¡:~60,1%
%Ãç�¡:~12,1%%Ãç�¡:~63,1%%vÃYÃ�¥e%%Ãç�¡:~15,1%%Ãç�¡:~43,1%%Ãç�¡:~31,1%%Ãç�¡:~13,1%%Ãç�¡:~1,1%%Ãç�¡:~43,1%
...
Usage:
decode_batch.py -f <inputfile>
Check if an IP address belongs to one of the Azure network ranges. Just download the json from: https://www.microsoft.com/en-us/download/details.aspx?id=56519
ip_find.py -f <inputfile> -i <ip_address>