Qu1cksc0pe

All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files.

You can get:

• What DLL files are used.
• Functions and APIs.
• Sections and segments.
• URLs, IP addresses and emails.
• Android permissions.
• File extensions and their names.
  And so on...
  

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.

Qu1cksc0pe Can Analyze Currently

Files	Analysis Type
Windows Executables (.exe, .dll, .msi, .bin)	Static, Dynamic
Linux Executables (.elf, .bin)	Static, Dynamic
MacOS Executables (mach-o)	Static
Android Files (.apk, .jar)	Static, Dynamic(for now .apk only)
Golang Binaries (Linux)	Static
Document Files	Static
Archive Files (.zip, .rar, .ace)	Static
PCAP Files (.pcap)	Static

Usage

python3 qu1cksc0pe.py --file suspicious_file --analyze

Screenshot

Updates

20/06/2023

• WindowsAnalyzer and ResourceAnalyzer modules are both improved.

new_update.mp4

17/06/2023

• NEW FEATURE!!: Qu1cksc0pe can now perform .Net binary analysis. You can detect:
• AgentTesla
• NjRAT
• Formbook
• AsyncRAT/DCRat
• SnakeKeylogger
• Malware contains SmartAssembly

dotnet_analysis.mp4

Available On

Recommended Systems

• Parrot OS
• Kali Linux

And similar Linux distributions...

Setup and Installation

Necessary Dependencies:

• VirusTotal API Key => Performing VirusTotal based analysis.
• Strings => Necessary for static analysis.
• PyExifTool => Metadata extraction.
• Jadx => Performing source code and resource analysis.
• PyOneNote => OneNote document analysis.
• Mono => Performing .Net binary analysis.

# You can simply execute the following command it will do everything for you!
bash setup.sh

# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
sudo python3 qu1cksc0pe.py --install

Static Analysis

Normal analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze

Resource analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --resource

Hash scan

Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan

Folder scan

Supported Arguments:

• --hashscan
• --packer

Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan

VirusTotal

Report Contents:

• Threat Categories
• Detections
• CrowdSourced IDS Reports

Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile

Document scan

Usage: python3 qu1cksc0pe.py --file suspicious_document --docs

Embedded File/Exploit Extraction

Archive File Scan

Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive

File signature analyzer

Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck

File Carving

MITRE ATT&CK Technique Extraction

Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre

Programming language detection

Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang

Interactive shell

Usage: python3 qu1cksc0pe.py --console

Dynamic Analysis

Dynamic instrumentation with FRIDA scripts (for android applications)

Alert

You must connect a virtual device or physical device to your computer.

Usage: python3 qu1cksc0pe.py --runtime

Binary Emulation

Alert

Binary emulator is not recommended for .NET analysis.

Usage: python3 qu1cksc0pe.py --file suspicious_file --watch

References

• The Cyber Security Hub
• Kitploit - Top 20 Most Popular Hacking Tools in 2021
• CSIRT.MAI
• Vulners
• RedPacket Security
• Bournemouth University - CERT
• Hacking Articles - Digital Forensics Tools Mindmap
• HackGit - Twitter Post
• Daily Dark Web - Twitter Post

Thanks to

For most of FRIDA scripts: https://github.com/Ch0pin/
Another scripts: https://codeshare.frida.re/browse