This tool allows to statically analyze windows, linux, osx, executables and also APK files.
You can get:
- What DLL files are used.
- Functions and API's.
- Sections and segments.
- URL's, IP addresses and emails.
- Android permissions.
- File extensions and their names.
Qu1cksc0pe aims to get even more information about suspicious files and helps to user realizing what that file capable of.
- Usage:
python3 qu1cksc0pe.py --file suspicious_file --analyze - Alternative usage:
python3 qu1cksc0pe.py --file [PATH TO FILE] --analyze
19/10/2020
- Domain catcher module is upgraded. Now it uses "Natural Language Processing" to analyze files.
Necessary python modules:
puremagicandroguardprettytablefleepcoloramaoletoolsspacy
Installation of python modules: pip3 install -r requirements.txt
Gathering other dependencies:
- VirusTotal API Key:
https://virustotal.com - Binutils:
sudo apt-get install binutils - ExifTool:
sudo apt-get install exiftool - Strings:
sudo apt-get install strings - AAPT:
sudo apt-get install aapt
Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --multiple FILE1 FILE2 ...
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Usage: python3 qu1cksc0pe.py --multihash FILE1 FILE2 ...
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Usage for --vtUrl: python3 qu1cksc0pe.py --vtUrl
Hash scan: python3 qu1cksc0pe.py --folder SUSPICIOUS_FOLDER --hashscan
Packed files: python3 qu1cksc0pe.py --folder SUSPICIOUS_FOLDER --packer
Usage: python3 qu1cksc0pe.py --file suspicious_file --domain
This category contains functions and strings about:
- Creating or destroying registry keys.
- Changing registry keys and registry logs.
This category contains functions and strings about:
- Creating/changing/infecting/deleting files.
- Getting informations about file contents and file systems.
This category contains functions and strings about:
- Communicating malicious hosts.
- Download malicious files.
- Sending informations about infected machine and its user.
This category contains functions and strings about:
- Creating/infecting/terminating processes.
- Manipulating processes.
This category contains functions and strings about:
- Handling DLL files and another malware's resource files.
- Infecting and manipulating DLL files.
This category contains functions and strings about:
- Manipulating Windows security policies and bypassing restrictions.
- Detecting debuggers and doing evasive tricks.
This category contains functions and strings about:
- Executing system commands.
- Manipulating system files and system options to get persistence in target systems.
This category contains functions and strings about:
- Microsoft's Component Object Model system.
This category contains functions and strings about:
- Encrypting and decrypting files.
- Creating and destroying hashes.
This category contains functions and strings about:
- Gathering all informations from target hosts. Like process states, network devices etc.
This category contains functions and strings about:
- Tracking infected machine's keyboard.
- Gathering information about targets keyboard.
- Managing input methods etc.
This category contains functions and strings about:
- Manipulating and using target machines memory.