This tool allows to statically analyze windows, linux, osx, executables and also APK files.
You can get:
- What DLL files are used.
- Functions and API's.
- Sections and segments.
- URL's, IP addresses and emails.
- Android permissions.
- File extensions and their names.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps to user realizing what that file capable of.
- Usage:
python3 qu1cksc0pe.py --file suspicious_file --analyze - Alternative usage:
python3 qu1cksc0pe.py --file [PATH TO FILE] --analyze
22/06/2021
-
Windows Analyzermodule is upgraded. Now Qu1cksc0pe can look for YARA rule matches in Windows binaries. - Added more YARA rules.
- Bug fixes.
- You can also use Qu1cksc0pe from
Windows Subsystem Linuxin Windows 10.
Necessary python modules:
puremagic=> Analyzing target OS and magic numbers.androguard=> Analyzing APK files.apkid=> Check for Obfuscators, Anti-Disassembly, Anti-VM and Anti-Debug.prettytable=> Pretty outputs.tqdm=> Progressbar animation.colorama=> Colored outputs.oletools=> Analyzing VBA Macros.pefile=> Gathering all information from PE files.spacy=> Natural Language Processing for string analysis.quark-engine=> Extracting IP addresses and URLs from APK files.pyaxmlparser=> Gathering informations from target APK files.yara-python=> Android library scanning with Yara rules.capstone=> Disassembling binaries.
Installation of python modules: pip3 install -r requirements.txt
Gathering other dependencies:
- VirusTotal API Key:
https://virustotal.com - Binutils:
sudo apt-get install binutils - ExifTool:
sudo apt-get install exiftool - Strings:
sudo apt-get install strings
- You can install Qu1cksc0pe easily on your system. Just execute the following command.
Command:sudo python3 qu1cksc0pe.py --install
Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --multiple FILE1 FILE2 ...
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan--packer
Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat CategoriesDetectionsCrowdSourced IDS Reports
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
Usage: python3 qu1cksc0pe.py --file suspicious_file --domain
This category contains functions and strings about:
- Creating or destroying registry keys.
- Changing registry keys and registry logs.
This category contains functions and strings about:
- Creating/changing/infecting/deleting files.
- Getting informations about file contents and file systems.
This category contains functions and strings about:
- Communicating malicious hosts.
- Download malicious files.
- Sending informations about infected machine and its user.
This category contains functions and strings about:
- Creating/infecting/terminating processes.
- Manipulating processes.
This category contains functions and strings about:
- Handling DLL files and another malware's resource files.
- Infecting and manipulating DLL files.
This category contains functions and strings about:
- Manipulating Windows security policies and bypassing restrictions.
- Detecting debuggers and doing evasive tricks.
This category contains functions and strings about:
- Executing system commands.
- Manipulating system files and system options to get persistence in target systems.
This category contains functions and strings about:
- Microsoft's Component Object Model system.
This category contains functions and strings about:
- Encrypting and decrypting files.
- Creating and destroying hashes.
This category contains functions and strings about:
- Gathering all informations from target hosts. Like process states, network devices etc.
This category contains functions and strings about:
- Tracking infected machine's keyboard.
- Gathering information about targets keyboard.
- Managing input methods etc.
This category contains functions and strings about:
- Manipulating and using target machines memory.