This tool allows to statically analyze windows, linux, osx, executables and also APK files.
You can get:
- What DLL files are used.
- Functions and API's.
- Sections and segments.
- URL's, IP addresses and emails.
- Android permissions.
- File extensions and their names.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps to user realizing what that file capable of.
- Usage:
python3 qu1cksc0pe.py --file suspicious_file --analyze - Alternative usage:
python3 qu1cksc0pe.py --file [PATH TO FILE] --analyze
28/02/2021
-
ApkAnalyzermodule upgraded.
- You can also use Qu1cksc0pe from
Windows Subsystem Linuxin Windows 10.
Necessary python modules:
puremagic=> Analyzing target OS and magic numbers.androguard=> Analyzing APK files.apkid=> Check for Anti-VM and Anti-Debug codes.prettytable=> Pretty outputs.tqdm=> Progressbar animation.colorama=> Colored outputs.oletools=> Analyzing VBA Macros.pefile=> Gathering all information from PE files.spacy=> Natural Language Processing for string analysis.quark-engine=> Extracting IP addresses and URLs from APK files.
Installation of python modules: pip3 install -r requirements.txt
Gathering other dependencies:
- VirusTotal API Key:
https://virustotal.com - Binutils:
sudo apt-get install binutils - ExifTool:
sudo apt-get install exiftool - Strings:
sudo apt-get install strings
Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --multiple FILE1 FILE2 ...
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan--packer
Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat CategoriesDetectionsCrowdSourced IDS Reports
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
Usage: python3 qu1cksc0pe.py --file suspicious_file --domain
This category contains functions and strings about:
- Creating or destroying registry keys.
- Changing registry keys and registry logs.
This category contains functions and strings about:
- Creating/changing/infecting/deleting files.
- Getting informations about file contents and file systems.
This category contains functions and strings about:
- Communicating malicious hosts.
- Download malicious files.
- Sending informations about infected machine and its user.
This category contains functions and strings about:
- Creating/infecting/terminating processes.
- Manipulating processes.
This category contains functions and strings about:
- Handling DLL files and another malware's resource files.
- Infecting and manipulating DLL files.
This category contains functions and strings about:
- Manipulating Windows security policies and bypassing restrictions.
- Detecting debuggers and doing evasive tricks.
This category contains functions and strings about:
- Executing system commands.
- Manipulating system files and system options to get persistence in target systems.
This category contains functions and strings about:
- Microsoft's Component Object Model system.
This category contains functions and strings about:
- Encrypting and decrypting files.
- Creating and destroying hashes.
This category contains functions and strings about:
- Gathering all informations from target hosts. Like process states, network devices etc.
This category contains functions and strings about:
- Tracking infected machine's keyboard.
- Gathering information about targets keyboard.
- Managing input methods etc.
This category contains functions and strings about:
- Manipulating and using target machines memory.