Home

Awesome

Qu1cksc0pe

<a href="https://www.buymeacoffee.com/cyb3rmx"><img src="https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png" height="40px"></a><br><br> <img src="https://img.shields.io/badge/-Linux-black?style=for-the-badge&logo=Linux&logoColor=white"> <img src="https://img.shields.io/badge/-Python-black?style=for-the-badge&logo=python&logoColor=white"> <img src="https://img.shields.io/badge/-Terminal-black?style=for-the-badge&logo=GNU%20Bash&logoColor=white"> <img src="https://img.shields.io/badge/-GPL%203.0-black?style=for-the-badge&Color=white">

<p align="center"> <img width="400" src="https://user-images.githubusercontent.com/42123683/216772963-0b035e5a-c9db-4a6e-ac32-ebca22921405.png" alt="logo"> </p> <br>All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.<br>

You can get:

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.

Qu1cksc0pe Can Analyze Currently

FilesAnalysis Type
Windows Executables (.exe, .dll, .msi, .bin)Static, Dynamic
Linux Executables (.elf, .bin)Static, Dynamic
MacOS Executables (mach-o)Static
Android Files (.apk, .jar, .dex)Static, Dynamic(for now .apk only)
Golang Binaries (Linux)Static
Document FilesStatic
Archive Files (.zip, .rar, .ace)Static
PCAP Files (.pcap)Static
Powershell ScriptsStatic
E-Mail Files (.eml)Static

Usage

python qu1cksc0pe.py --file suspicious_file --analyze

Screenshot

Screenshot

Updates

<b>14/11/2024</b>

<b>13/09/2024</b>

Available On

<img width="400" src="https://user-images.githubusercontent.com/42123683/189416163-4ffd12ce-dd62-4510-b496-924396ce77c2.png" alt="logo"><img width="400" src="https://user-images.githubusercontent.com/42123683/189416193-a709291f-be8f-469c-b649-c6201fa86677.jpeg" alt="logo"> <img width="400" src="https://github.com/user-attachments/assets/a555750e-d979-4f0f-9d2c-730662b00915" alt="logo"> <img width="400" src="https://github.com/user-attachments/assets/56054b07-0512-42bb-ab97-cecbf845116e" alt="logo">

Recommended Systems

<br><b><i>And also another Linux distributions like as Kali/Parrot</i></b>

Setup and Installation

<br><b>Necessary Dependencies</b>:

[!NOTE] If you encounter issues with the Python modules, creating a Python virtual environment (python_venv) should resolve them.

# You can simply execute the following command it will do everything for you!
bash setup.sh

# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
python qu1cksc0pe.py --install

# To prevent interpreter errors after installation, use dos2unix.
dos2unix /usr/bin/qu1cksc0pe

# Or you can use Qu1cksc0pe from Docker!
docker build -t qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze

# For Windows systems you need to execute the following command (Powershell)
# PS C:\Users\user\Desktop\Qu1cksc0pe> .\setup.ps1

Static Analysis

Normal analysis

<i><b>Description</b>: You can perform basic analysis and triage against your samples.</i>

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_file --analyze<br> windows_analyze

Resource analysis

<i><b>Description</b>: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.</i>

<b>Effective Against</b>:

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_file --resource<br> resource

Hash scan

<i><b>Description</b>: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.</i>

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_file --hashscan<br> hash

Folder scan

<b>Supported Arguments</b>:

<b>Usage</b>: python qu1cksc0pe.py --folder FOLDER --hashscan<br> hashscan_tui

VirusTotal

<b>Report Contents</b>:

<b>Usage for --vtFile</b>: python qu1cksc0pe.py --file suspicious_file --vtFile<br> total

Document scan

<i><b>Description</b>: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!</i>

<b>Effective Against</b>:

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_document --docs<br> docs

Embedded File/Exploit Extraction

exploit

Archive File Scan

<i><b>Description</b>: With this feature you can perform checks for suspicious files against archive files.</i>

<b>Effective Against</b>:

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_archive_file --archive archiveanalysis

File signature analyzer

<i><b>Description</b>: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).</i>

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_file --sigcheck<br> sigcheck

File Carving

carving

MITRE ATT&CK Technique Extraction

<i><b>Description</b>: This feature allows you to generate potential MITRE ATT&CK tables based on the import/export table or functions contained within the given file.</i>

<b>Effective Against</b>:

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_file --mitre<br> mitre

Programming language detection

<i><b>Description</b>: You can get programming language information from given file.</i>

<b>Usage</b>: python qu1cksc0pe.py --file suspicious_executable --lang<br> langdetect

Interactive shell

<i><b>Description</b>: You can use Qu1cksc0pe in command line mode.</i>

<b>Usage</b>: python qu1cksc0pe.py --console<br> console

Dynamic Analysis

Android Application Analysis

[!NOTE] You must connect a virtual device or physical device to your computer.

<br><b>Usage</b>: python qu1cksc0pe.py --watch<br>

https://github.com/CYB3RMX/Qu1cksc0pe/assets/42123683/3251dc28-7c97-4a82-aa6b-a981fb6da13e

Process Analysis

<br><b>Usage</b>: python qu1cksc0pe.py --watch<br>

https://github.com/CYB3RMX/Qu1cksc0pe/assets/42123683/a2c84b8f-c12c-47ac-96e9-c345aeda1f54

References