Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cyb3rmx/qu1cksc0pe
All-in-One malware analysis tool.
https://github.com/cyb3rmx/qu1cksc0pe
all-in-one antivirus apk elf exe linux malware malware-analysis osx packer python3 ransomware security-tools static-analysis strings suspicious-files termux threat-analysis virustotal windows
Last synced: 7 days ago
JSON representation
All-in-One malware analysis tool.
- Host: GitHub
- URL: https://github.com/cyb3rmx/qu1cksc0pe
- Owner: CYB3RMX
- License: gpl-3.0
- Created: 2019-10-18T13:41:28.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-04-04T15:58:28.000Z (7 months ago)
- Last Synced: 2024-04-09T05:38:09.089Z (7 months ago)
- Topics: all-in-one, antivirus, apk, elf, exe, linux, malware, malware-analysis, osx, packer, python3, ransomware, security-tools, static-analysis, strings, suspicious-files, termux, threat-analysis, virustotal, windows
- Language: YARA
- Homepage:
- Size: 107 MB
- Stars: 1,096
- Watchers: 26
- Forks: 163
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# Qu1cksc0pe
All-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.
*You can get*:
- What DLL files are used.
- Functions and APIs.
- Sections and segments.
- URLs, IP addresses and emails.
- Android permissions.
- File extensions and their names.
- Embedded executables/exploits.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.
# Qu1cksc0pe Can Analyze Currently
| Files | Analysis Type |
| :--- | :--- |
| Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |
| Linux Executables (.elf, .bin) | Static, Dynamic |
| MacOS Executables (mach-o) | Static |
| Android Files (.apk, .jar, .dex) | Static, Dynamic(for now .apk only) |
| Golang Binaries (Linux) | Static |
| Document Files | Static |
| Archive Files (.zip, .rar, .ace) | Static |
| PCAP Files (.pcap) | Static |
| Powershell Scripts | Static |
| E-Mail Files (.eml) | Static |
# Usage
```bash
python qu1cksc0pe.py --file suspicious_file --analyze
```
# Screenshot
# Updates
13/09/2024
- [X] Improvements on ```Linux Analyzer``` module.
12/09/2024
- [X] Improvements on ```Linux Analyzer``` module.
- [X] Added new PDB signatures.
- [X] Added new YARA rule.
# Available On
# Recommended Systems
- [X] Parrot OS
- [X] Kali Linux
- [X] Windows 10 or 11
And also another Linux distributions like as Kali/Parrot
# Setup and Installation
Necessary Dependencies:
- Python ```3.10``` or higher versions.
- ```VirusTotal API Key``` => Performing VirusTotal based analysis.
- ```Strings``` => Necessary for static analysis.
- ```Jadx``` => Performing source code and resource analysis.
- ```PyOneNote``` => OneNote document analysis.
- ```Mono``` => Performing .Net binary analysis.
```bash
# You can simply execute the following command it will do everything for you!
bash setup.sh
# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
python qu1cksc0pe.py --install
# To prevent interpreter errors after installation, use dos2unix.
dos2unix /usr/bin/qu1cksc0pe
# Or you can use Qu1cksc0pe from Docker!
docker build -t qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze
# For Windows systems you need to execute the following command (Powershell)
# PS C:\Users\user\Desktop\Qu1cksc0pe> .\setup.ps1
```
# Static Analysis
## Normal analysis
Description: You can perform basic analysis and triage against your samples.
Usage: ```python qu1cksc0pe.py --file suspicious_file --analyze```
## Resource analysis
Description: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.
Effective Against:
- .NET Executables
- Android Files (.apk)
Usage: ```python qu1cksc0pe.py --file suspicious_file --resource```
## Hash scan
Description: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.
Usage: ```python qu1cksc0pe.py --file suspicious_file --hashscan```
## Folder scan
Supported Arguments:
- ```--hashscan```
- ```--packer```
Usage: ```python qu1cksc0pe.py --folder FOLDER --hashscan```
## VirusTotal
Report Contents:
- ```Threat Categories```
- ```Detections```
- ```CrowdSourced IDS Reports```
Usage for --vtFile: ```python qu1cksc0pe.py --file suspicious_file --vtFile```
## Document scan
Description: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!
Effective Against:
- Word Documents (.doc, .docm, .docx)
- Excel Documents (.xls, .xlsm, .xlsx)
- Portable Document Format (.pdf)
- OneNote Documents (.one)
- HTML Documents (.htm, .html)
- Rich Text Format Documents (.rtf)
Usage: ```python qu1cksc0pe.py --file suspicious_document --docs```
### Embedded File/Exploit Extraction
## Archive File Scan
Description: With this feature you can perform checks for suspicious files against archive files.
Effective Against:
- ZIP
- RAR
- ACE
Usage: ```python qu1cksc0pe.py --file suspicious_archive_file --archive```
## File signature analyzer
Description: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).
Usage: ```python qu1cksc0pe.py --file suspicious_file --sigcheck```
### File Carving
## MITRE ATT&CK Technique Extraction
Description: This feature allows you to generate potential MITRE ATT&CK tables based on the import/export table or functions contained within the given file.
Effective Against:
- Windows Executables
Usage: ```python qu1cksc0pe.py --file suspicious_file --mitre```
## Programming language detection
Description: You can get programming language information from given file.
Usage: ```python qu1cksc0pe.py --file suspicious_executable --lang```
## Interactive shell
Description: You can use Qu1cksc0pe in command line mode.
Usage: ```python qu1cksc0pe.py --console```
# Dynamic Analysis
## Android Application Analysis
**Alert**
> **You must connect a virtual device or physical device to your computer.**
Usage: ```python qu1cksc0pe.py --watch```
https://github.com/CYB3RMX/Qu1cksc0pe/assets/42123683/3251dc28-7c97-4a82-aa6b-a981fb6da13e
## Process Analysis
Usage: ```python qu1cksc0pe.py --watch```
https://github.com/CYB3RMX/Qu1cksc0pe/assets/42123683/a2c84b8f-c12c-47ac-96e9-c345aeda1f54
# References
- The Cyber Security Hub
- Kitploit - Top 20 Most Popular Hacking Tools in 2021
- CSIRT.MAI
- Vulners
- RedPacket Security
- Bournemouth University - CERT
- Hacking Articles - Digital Forensics Tools Mindmap
- HackGit - Twitter Post
- Daily Dark Web - Twitter Post
- SANS ISC - Blog Post
- Korben - Blog Post
