/Qu1cksc0pe

All-in-One malware analysis tool.

Primary LanguageYARAGNU General Public License v3.0GPL-3.0

Qu1cksc0pe

logo


All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files.

You can get:

  • What DLL files are used.
  • Functions and APIs.
  • Sections and segments.
  • URLs, IP addresses and emails.
  • Android permissions.
  • File extensions and their names.
    And so on...

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.

Qu1cksc0pe Can Analyze Currently

Files Analysis Type
Windows Executables (.exe, .dll, .msi, .bin) Static, Dynamic
Linux Executables (.elf, .bin) Static, Dynamic
MacOS Executables (mach-o) Static
Android Files (.apk, .jar) Static, Dynamic(for now .apk only)
Golang Binaries (Linux) Static
Document Files Static
Archive Files (.zip, .rar, .ace) Static

Usage

python3 qu1cksc0pe.py --file suspicious_file --analyze

Screenshot

2023-04-06_03-47

Updates

10/06/2023

  • WindowsAnalyzer module is upgraded. Added basic detection capability for detecting PsExec, Rubeus, Mimikatz binaries.
  • Added basic detection capability for detecting interesting strings(like filenames etc.) new_update

25/05/2023

  • ResourceAnalyzer module is significantly upgraded. Now it has better detection and carving abilities!
    upgraded_bitmap

Available On

blackarch tsurugi

Note

  • You can also use Qu1cksc0pe from Windows Subsystem Linux in Windows 10.

Setup

Necessary python modules:

  • puremagic => Analyzing target OS and magic numbers.
  • androguard => Analyzing APK files.
  • apkid => Check for Obfuscators, Anti-Disassembly, Anti-VM and Anti-Debug.
  • rich => Pretty outputs and TUI.
  • tqdm => Progressbar animation.
  • colorama => Colored outputs.
  • oletools => Analyzing VBA Macros.
  • pefile => Gathering all information from PE files.
  • quark-engine => Extracting IP addresses and URLs from APK files.
  • pyaxmlparser => Gathering informations from target APK files.
  • yara-python => Android library scanning with Yara rules.
  • prompt_toolkit => Interactive shell.
  • frida => Performing dynamic analysis against android applications.
  • lief => ELF binary parsing and analysis.
  • zepu1chr3 => Analyzing binaries via radare2.
  • pygore => Analyzing golang binaries.
  • qiling => Dynamic analysis of binaries.
  • pdfminer.six => PDF analysis.
  • rarfile => Rar analysis.
  • acefile => Ace analysis.
  • Pillow => Bitmap image analysis.


Other dependencies:

  • VirusTotal API Key => Performing VirusTotal based analysis.
  • Strings => Necessary for static analysis.
  • PyExifTool => Metadata extraction.
  • Jadx => Performing source code and resource analysis.
  • PyOneNote => OneNote document analysis.
# You can simply execute the following command!
bash setup.sh

Installation

  • You can install Qu1cksc0pe easily on your system. Just execute the following commands.
    Command 0: sudo pip3 install -r requirements.txt
    Command 1: sudo python3 qu1cksc0pe.py --install

Static Analysis

Normal analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
analyze

Resource analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --resource
resource

Hash scan

Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
hash

Folder scan

Supported Arguments:

  • --hashscan
  • --packer

Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
hashscan_tui

VirusTotal

Report Contents:

  • Threat Categories
  • Detections
  • CrowdSourced IDS Reports

Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
total

Document scan

Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
docs

Embedded File/Exploit Extraction

exploit

Archive File Scan

Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive archiveanalysis

File signature analyzer

Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck
sigcheck

File Carving

carving

MITRE ATT&CK Technique Extraction

Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre
mitre

Programming language detection

Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
langdetect

Interactive shell

Usage: python3 qu1cksc0pe.py --console
console

Dynamic Analysis

Dynamic instrumentation with FRIDA scripts (for android applications)

Alert

You must connect a virtual device or physical device to your computer.


Usage: python3 qu1cksc0pe.py --runtime
dynamic

Binary Emulation

Alert

Binary emulator is not recommended for .NET analysis.


Usage: python3 qu1cksc0pe.py --file suspicious_file --watch
animation

References

Thanks to

For most of FRIDA scripts: https://github.com/Ch0pin/
Another scripts: https://codeshare.frida.re/browse