Light

mixedup4x4 / qu1cksc0pe Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cyb3rmx/qu1cksc0pe

0.0 0.0 0.0 108.37 MB

All-in-One malware analysis tool.

License: GNU General Public License v3.0

Shell 0.06% JavaScript 0.90% Python 4.61% Dockerfile 0.01% YARA 94.42%

qu1cksc0pe's Introduction

Qu1cksc0pe

All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files.

You can get:

What DLL files are used.
Functions and APIs.
Sections and segments.
URLs, IP addresses and emails.
Android permissions.
File extensions and their names.
And so on...

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.

Qu1cksc0pe Can Analyze Currently

Files	Analysis Type
Windows Executables (.exe, .dll, .msi, .bin)	Static, Dynamic
Linux Executables (.elf, .bin)	Static, Dynamic
MacOS Executables (mach-o)	Static
Android Files (.apk, .jar)	Static, Dynamic(for now .apk only)
Golang Binaries (Linux)	Static
Document Files	Static
Archive Files (.zip, .rar, .ace)	Static

Usage

python3 qu1cksc0pe.py --file suspicious_file --analyze

Screenshot

Updates

10/06/2023

WindowsAnalyzer module is upgraded. Added basic detection capability for detecting PsExec, Rubeus, Mimikatz binaries.
Added basic detection capability for detecting interesting strings(like filenames etc.)

25/05/2023

ResourceAnalyzer module is significantly upgraded. Now it has better detection and carving abilities!

Available On

Note

You can also use Qu1cksc0pe from Windows Subsystem Linux in Windows 10.

Setup

Necessary python modules:

puremagic => Analyzing target OS and magic numbers.
androguard => Analyzing APK files.
apkid => Check for Obfuscators, Anti-Disassembly, Anti-VM and Anti-Debug.
rich => Pretty outputs and TUI.
tqdm => Progressbar animation.
colorama => Colored outputs.
oletools => Analyzing VBA Macros.
pefile => Gathering all information from PE files.
quark-engine => Extracting IP addresses and URLs from APK files.
pyaxmlparser => Gathering informations from target APK files.
yara-python => Android library scanning with Yara rules.
prompt_toolkit => Interactive shell.
frida => Performing dynamic analysis against android applications.
lief => ELF binary parsing and analysis.
zepu1chr3 => Analyzing binaries via radare2.
pygore => Analyzing golang binaries.
qiling => Dynamic analysis of binaries.
pdfminer.six => PDF analysis.
rarfile => Rar analysis.
acefile => Ace analysis.
Pillow => Bitmap image analysis.

Other dependencies:

VirusTotal API Key => Performing VirusTotal based analysis.
Strings => Necessary for static analysis.
PyExifTool => Metadata extraction.
Jadx => Performing source code and resource analysis.
PyOneNote => OneNote document analysis.

# You can simply execute the following command!
bash setup.sh

Installation

You can install Qu1cksc0pe easily on your system. Just execute the following commands.
Command 0: sudo pip3 install -r requirements.txt
Command 1: sudo python3 qu1cksc0pe.py --install

Static Analysis

Normal analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze

Resource analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --resource

Hash scan

Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan

Folder scan

Supported Arguments:

--hashscan
--packer

Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan

VirusTotal

Report Contents:

Threat Categories
Detections
CrowdSourced IDS Reports

Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile

Document scan

Usage: python3 qu1cksc0pe.py --file suspicious_document --docs

Embedded File/Exploit Extraction

Archive File Scan

Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive

File signature analyzer

Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck

File Carving

MITRE ATT&CK Technique Extraction

Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre

Programming language detection

Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang

Interactive shell

Usage: python3 qu1cksc0pe.py --console

Dynamic Analysis

Dynamic instrumentation with FRIDA scripts (for android applications)

Alert

You must connect a virtual device or physical device to your computer.

Usage: python3 qu1cksc0pe.py --runtime

Binary Emulation

Alert

Binary emulator is not recommended for .NET analysis.

Usage: python3 qu1cksc0pe.py --file suspicious_file --watch

References

Thanks to

For most of FRIDA scripts: https://github.com/Ch0pin/
Another scripts: https://codeshare.frida.re/browse

qu1cksc0pe's People

Contributors

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.