All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files.
You can get:
- What DLL files are used.
- Functions and APIs.
- Sections and segments.
- URLs, IP addresses and emails.
- Android permissions.
- File extensions and their names.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.
Files | Analysis Type |
---|---|
Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |
Linux Executables (.elf, .bin) | Static, Dynamic |
MacOS Executables (mach-o) | Static |
Android Files (.apk, .jar) | Static, Dynamic(for now .apk only) |
Golang Binaries (Linux) | Static |
Document Files | Static |
Archive Files (.zip, .rar, .ace) | Static |
python3 qu1cksc0pe.py --file suspicious_file --analyze
10/06/2023
-
WindowsAnalyzer
module is upgraded. Added basic detection capability for detectingPsExec
,Rubeus
,Mimikatz
binaries. - Added basic detection capability for detecting interesting strings(like filenames etc.)
25/05/2023
-
ResourceAnalyzer
module is significantly upgraded. Now it has better detection and carving abilities!
- You can also use Qu1cksc0pe from
Windows Subsystem Linux
in Windows 10.
Necessary python modules:
puremagic
=> Analyzing target OS and magic numbers.androguard
=> Analyzing APK files.apkid
=> Check for Obfuscators, Anti-Disassembly, Anti-VM and Anti-Debug.rich
=> Pretty outputs and TUI.tqdm
=> Progressbar animation.colorama
=> Colored outputs.oletools
=> Analyzing VBA Macros.pefile
=> Gathering all information from PE files.quark-engine
=> Extracting IP addresses and URLs from APK files.pyaxmlparser
=> Gathering informations from target APK files.yara-python
=> Android library scanning with Yara rules.prompt_toolkit
=> Interactive shell.frida
=> Performing dynamic analysis against android applications.lief
=> ELF binary parsing and analysis.zepu1chr3
=> Analyzing binaries via radare2.pygore
=> Analyzing golang binaries.qiling
=> Dynamic analysis of binaries.pdfminer.six
=> PDF analysis.rarfile
=> Rar analysis.acefile
=> Ace analysis.Pillow
=> Bitmap image analysis.
Other dependencies:
VirusTotal API Key
=> Performing VirusTotal based analysis.Strings
=> Necessary for static analysis.PyExifTool
=> Metadata extraction.Jadx
=> Performing source code and resource analysis.PyOneNote
=> OneNote document analysis.
# You can simply execute the following command!
bash setup.sh
- You can install Qu1cksc0pe easily on your system. Just execute the following commands.
Command 0:sudo pip3 install -r requirements.txt
Command 1:sudo python3 qu1cksc0pe.py --install
Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --file suspicious_file --resource
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan
--packer
Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat Categories
Detections
CrowdSourced IDS Reports
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive
Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck
Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre
Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
Usage: python3 qu1cksc0pe.py --console
Alert
You must connect a virtual device or physical device to your computer.
Usage: python3 qu1cksc0pe.py --runtime
Alert
Binary emulator is not recommended for .NET analysis.
Usage: python3 qu1cksc0pe.py --file suspicious_file --watch
- The Cyber Security Hub
- Kitploit - Top 20 Most Popular Hacking Tools in 2021
- CSIRT.MAI
- Vulners
- RedPacket Security
- Bournemouth University - CERT
- Hacking Articles - Digital Forensics Tools Mindmap
For most of FRIDA scripts: https://github.com/Ch0pin/
Another scripts: https://codeshare.frida.re/browse