Coder Social home page Coder Social logo

rubbertoast / qu1cksc0pe Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cyb3rmx/qu1cksc0pe

0.0 0.0 0.0 109.38 MB

All-in-One malware analysis tool.

License: GNU General Public License v3.0

Shell 0.06% JavaScript 0.02% Python 6.33% PowerShell 0.12% Dockerfile 0.01% YARA 93.45%

qu1cksc0pe's Introduction

Qu1cksc0pe



logo


All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.

You can get:

  • What DLL files are used.
  • Functions and APIs.
  • Sections and segments.
  • URLs, IP addresses and emails.
  • Android permissions.
  • File extensions and their names.
  • Embedded executables/exploits.
    And so on...

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.

Qu1cksc0pe Can Analyze Currently

Files Analysis Type
Windows Executables (.exe, .dll, .msi, .bin) Static, Dynamic
Linux Executables (.elf, .bin) Static, Dynamic
MacOS Executables (mach-o) Static
Android Files (.apk, .jar) Static, Dynamic(for now .apk only)
Golang Binaries (Linux) Static
Document Files Static
Archive Files (.zip, .rar, .ace) Static
PCAP Files (.pcap) Static
Powershell Scripts Static
E-Mail Files (.eml) Static

Usage

python qu1cksc0pe.py --file suspicious_file --analyze

Screenshot

Screenshot

Updates

12/10/2023

  • Bug fixes.

04/10/2023

  • Improvements on Android Static Analyzer
  • Bug fixes.

29/09/2023

  • NEW FEATURE!!: Qu1cksc0pe is now able to analyze Rich Text Format (.rtf) documents. You can perform:
  • Detection and extraction of embedded exploits/scripts from malicious .rtf documents. (CVE-2017-11882)
  • Detection of malicious patterns.
new_update.mp4

17/09/2023

  • Compatibility has been added for Windows. Qu1cksc0pe can now run on Windows 10 or 11!
  • Lots of improvements and bug fixes.

Available On

blackarch tsurugi

Recommended Systems

  • Parrot OS
  • Kali Linux
  • Windows 10 or 11


And also another Linux distributions like as Kali/Parrot

Setup and Installation


Necessary Dependencies:

  • Python 3.10 or higher versions.
  • VirusTotal API Key => Performing VirusTotal based analysis.
  • Strings => Necessary for static analysis.
  • Jadx => Performing source code and resource analysis.
  • PyOneNote => OneNote document analysis.
  • Mono => Performing .Net binary analysis.
# You can simply execute the following command it will do everything for you!
bash setup.sh

# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
sudo python qu1cksc0pe.py --install

# Or you can use Qu1cksc0pe from Docker!
docker build qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze

# For Windows systems you need to execute the following command (Powershell)
# PS C:\Users\user\Desktop\Qu1cksc0pe> .\setup.ps1

Static Analysis

Normal analysis

Description: You can perform basic analysis and triage against your samples.

Usage: python qu1cksc0pe.py --file suspicious_file --analyze
windows_analyze

Resource analysis

Description: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.

Effective Against:

  • .NET Executables
  • Android Files (.apk)

Usage: python qu1cksc0pe.py --file suspicious_file --resource
resource

Hash scan

Description: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.

Usage: python qu1cksc0pe.py --file suspicious_file --hashscan
hash

Folder scan

Supported Arguments:

  • --hashscan
  • --packer

Usage: python qu1cksc0pe.py --folder FOLDER --hashscan
hashscan_tui

VirusTotal

Report Contents:

  • Threat Categories
  • Detections
  • CrowdSourced IDS Reports

Usage for --vtFile: python qu1cksc0pe.py --file suspicious_file --vtFile
total

Document scan

Description: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!

Effective Against:

  • Word Documents (.doc, .docm, .docx)
  • Excel Documents (.xls, .xlsm, .xlsx)
  • Portable Document Format (.pdf)
  • OneNote Documents (.one)
  • HTML Documents (.htm, .html)
  • Rich Text Format Documents (.rtf)

Usage: python qu1cksc0pe.py --file suspicious_document --docs
docs

Embedded File/Exploit Extraction

exploit

Archive File Scan

Description: With this feature you can perform checks for suspicious files against archive files.

Effective Against:

  • ZIP
  • RAR
  • ACE

Usage: python qu1cksc0pe.py --file suspicious_archive_file --archive archiveanalysis

File signature analyzer

Description: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).

Usage: python qu1cksc0pe.py --file suspicious_file --sigcheck
sigcheck

File Carving

carving

MITRE ATT&CK Technique Extraction

Description: This feature allows you to generate potential MITRE ATT&CK tables based on the import/export table or functions contained within the given file.

Effective Against:

  • Windows Executables

Usage: python qu1cksc0pe.py --file suspicious_file --mitre
mitre

Programming language detection

Description: You can get programming language information from given file.

Usage: python qu1cksc0pe.py --file suspicious_executable --lang
langdetect

Interactive shell

Description: You can use Qu1cksc0pe in command line mode.

Usage: python qu1cksc0pe.py --console
console

Dynamic Analysis

Android Application Analysis

Alert

You must connect a virtual device or physical device to your computer.


Usage: python qu1cksc0pe.py --file suspicious.apk --watch

android_dynamic_analysis.1.mp4

Binary Emulation

Alert

Binary emulator is not recommended for .NET analysis.


Usage: python qu1cksc0pe.py --file suspicious_file --watch
animation

References

qu1cksc0pe's People

Contributors

cyb3rmx avatar kaqtus14 avatar trizin avatar a1s0n avatar barakaharoni avatar mjbroekman avatar straysheep-dev avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.