All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files.
You can get:
- What DLL files are used.
- Functions and APIs.
- Sections and segments.
- URLs, IP addresses and emails.
- Android permissions.
- File extensions and their names.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.
| Files | Analysis Type |
|---|---|
| Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |
| Linux Executables (.elf, .bin) | Static, Dynamic |
| MacOS Executables (mach-o) | Static |
| Android Files (.apk, .jar) | Static, Dynamic(for now .apk only) |
| Golang Binaries (Linux) | Static |
| Document Files | Static |
| Archive Files (.zip, .rar, .ace) | Static |
| PCAP Files (.pcap) | Static |
| Powershell Scripts | Static |
python3 qu1cksc0pe.py --file suspicious_file --analyze
10/07/2023
-
SignatureAnalyzermodule is improved. Now you can perform detection and extraction of embedded ELF executables! -
WindowsAnalyzermodule is now also perform embedded PE file detection!
new_updates.mp4
08/07/2023
-
WindowsAnalyzermodule is improved. - Bug fixes and performance tweaks.
07/07/2023
- Improvements on
Dockerfile -
WindowsAnalyzerandResourceAnalyzermodules now have better detection capabilites! - Added new Yara rule to detect
RustyStealersamples!
- Parrot OS
- Kali Linux
And similar Linux distributions...
Necessary Dependencies:
VirusTotal API Key=> Performing VirusTotal based analysis.Strings=> Necessary for static analysis.PyExifTool=> Metadata extraction.Jadx=> Performing source code and resource analysis.PyOneNote=> OneNote document analysis.Mono=> Performing .Net binary analysis.
# You can simply execute the following command it will do everything for you!
bash setup.sh
# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
sudo python3 qu1cksc0pe.py --install
# Or you can use Qu1cksc0pe from Docker!
docker build qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyzeUsage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --file suspicious_file --resource
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan--packer
Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat CategoriesDetectionsCrowdSourced IDS Reports
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive
Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck
Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre
Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
Usage: python3 qu1cksc0pe.py --console
Alert
You must connect a virtual device or physical device to your computer.
Usage: python3 qu1cksc0pe.py --runtime
Alert
Binary emulator is not recommended for .NET analysis.
Usage: python3 qu1cksc0pe.py --file suspicious_file --watch
- The Cyber Security Hub
- Kitploit - Top 20 Most Popular Hacking Tools in 2021
- CSIRT.MAI
- Vulners
- RedPacket Security
- Bournemouth University - CERT
- Hacking Articles - Digital Forensics Tools Mindmap
- HackGit - Twitter Post
- Daily Dark Web - Twitter Post
- SANS ISC - Blog Post
For most of FRIDA scripts: https://github.com/Ch0pin/
Another scripts: https://codeshare.frida.re/browse