All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.
You can get:
- What DLL files are used.
- Functions and APIs.
- Sections and segments.
- URLs, IP addresses and emails.
- Android permissions.
- File extensions and their names.
- Embedded executables/exploits.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.
Files | Analysis Type |
---|---|
Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |
Linux Executables (.elf, .bin) | Static, Dynamic |
MacOS Executables (mach-o) | Static |
Android Files (.apk, .jar) | Static, Dynamic(for now .apk only) |
Golang Binaries (Linux) | Static |
Document Files | Static |
Archive Files (.zip, .rar, .ace) | Static |
PCAP Files (.pcap) | Static |
Powershell Scripts | Static |
E-Mail Files (.eml) | Static |
python3 qu1cksc0pe.py --file suspicious_file --analyze
01/09/2023
-
Android Dynamic Analyzer
module is significantly upgraded.
29/08/2023
-
Android Dynamic Analyzer
module is upgraded. Now Qu1cksc0pe also can perform categorized pattern scanning against application memory dumps!
dynamic_analysis_new_feature.mp4
26/08/2023
-
Android Dynamic Analyzer
module is upgraded. Now you can also perform analysis against heavily obfuscated samples to!
dynamic_analysis_update.mp4
23/08/2023
- NEW FEATURE!!: Qu1cksc0pe can now perform analysis against memory dump of an android application. You can get:
- Possible C2 addresses at runtime.
- Socket connections.
- Created services.
- Methods used by target application.
android_dynamic_analysis.1.mp4
- Parrot OS
- Kali Linux
And similar Linux distributions...
Necessary Dependencies:
VirusTotal API Key
=> Performing VirusTotal based analysis.Strings
=> Necessary for static analysis.PyExifTool
=> Metadata extraction.Jadx
=> Performing source code and resource analysis.PyOneNote
=> OneNote document analysis.Mono
=> Performing .Net binary analysis.
# You can simply execute the following command it will do everything for you!
bash setup.sh
# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
sudo python3 qu1cksc0pe.py --install
# Or you can use Qu1cksc0pe from Docker!
docker build qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze
Description: You can perform basic analysis and triage against your samples.
Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Description: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.
Effective Against:
- .NET Executables
- Android Files (.apk)
Usage: python3 qu1cksc0pe.py --file suspicious_file --resource
Description: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan
--packer
Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat Categories
Detections
CrowdSourced IDS Reports
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Description: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!
Effective Against:
- Word Documents (.doc, .docm, .docx)
- Excel Documents (.xls, .xlsm, .xlsx)
- Portable Document Format (.pdf)
- OneNote Documents (.one)
- HTML Documents (.htm, .html)
Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
Description: With this feature you can perform checks for suspicious files against archive files.
Effective Against:
- ZIP
- RAR
- ACE
Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive
Description: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).
Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck
Description: This feature allows you to generate potential MITRE ATT&CK tables based on the import/export table or functions contained within the given file.
Effective Against:
- Windows Executables
Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre
Description: You can get programming language information from given file.
Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
Description: You can use Qu1cksc0pe in command line mode.
Usage: python3 qu1cksc0pe.py --console
Alert
You must connect a virtual device or physical device to your computer.
Usage: python3 qu1cksc0pe.py --file suspicious.apk --watch
android_dynamic_analysis.1.mp4
Alert
Binary emulator is not recommended for .NET analysis.