How to use Qu1cksc0pe to analyze malware

Qu1cksc0pe is a tool to analyze Windows, Linux, OSX source code, exe files and even Apk. If you are passionate about reverse engineering or want to analyze if a file is safe before installation, Qu1cksc0pe will quickly analyze it for you with just a few simple commands.

Features of Qu1cksc0pe

Qu1cksc0pe is written in Python, so it’s quite easy to use, you only need a file to analyze and the computer has python pre-installed. Features of this software will help you to know:

  • What DLL files are used.
  • Functions and APIs.
  • Sections and segments
  • URL, IP address and email.
  • Android permissions.
  • File extensions and their names.

Qu1cksc0pe aims to get more information about suspicious files and help users realize what the file is capable of.

How to install Qu1cksc0pe

First you need to download and install Qu1cksc0pe on your computer. On linux you can use the command:

git clone https://github.com/CYB3RMX/Qu1cksc0pe.git

cd Qu1cksc0pe

Or directly download the .zip file here.

Then install the necessary modules: pip3 install -r requirements.txt. These modules include:

  • puremagic=> Analyze OS
  • androguard=> Analyze APK files.
  • apkid=> Check Obfuscators, Anti-Disassembly, Anti-VM and Anti-Debug.
  • prettytable=> create a table for the results
  • tqdm=> Progress bar animation.
  • colorama=>Color the output
  • oletools=> Analyze VBA Macros.
  • pefile=> Collect all information from PE files.
  • spacy=> Natural language processing for string parsing.
  • quark-engine=> Extract IP address and URL from APK file.
  • pyaxmlparser=> Collect information from target APK files.
  • yara-python=> Scan Android libraries with Yara rules.
  • capstone=> Decode binary.

Can you provide some more information to make the decompile process better:

  • Add VirusTotal API Key: https://virustotal.com
  • Install more Binutils: sudo apt-get install binutils
  • Install more ExifTool: sudo apt-get install exiftool
  • Install more Strings: sudo apt-get install strings

The last step is to install Qu1cksc0pe

sudo python3 qu1cksc0pe.py --install

How to use Qu1cksc0pe for malware analysis

To analyze the source code of a file or data to see if it is malicious, copy the file to be analyzed into the same directory of Qu1cksc0pe and use one of the following commands:

Normal analysis:

python3 qu1cksc0pe.py --file filename.exe --analyze

foreign analysis qu1cksc0pe

Analyze multiple files at once:

python3 qu1cksc0pe.py --multiple FILE1 FILE2 ...

file analysis

Hash scan:

python3 qu1cksc0pe.py --file filename --hashscan

Folder scan:

There are 2 parameters:

python3 qu1cksc0pe.py --folder FOLDER --hashscan

VirusTotal:

python3 qu1cksc0pe.py --file suspicious_file --vtFile

Document scan – Analyze text files with malicious code:

python3 qu1cksc0pe.py --file filename_document --docs

Programming language detection – Check language:

python3 qu1cksc0pe.py --file suspicious_executable --lang

Domains:

python3 qu1cksc0pe.py --file suspicious_file --domain

Information on analytical categories

Registry

This category contains functions and strings about:

  • Create or destroy registry keys
  • Change registry keys and registry logs

File

This category contains functions and strings about:

  • Create/change/infect/delete files.
  • Get information about file contents and file system.

Network/Web

This category contains functions and strings about:

  • Communicate malicious servers.
  • Download malicious files.
  • Send information about the infected machine and its users.

Process

This category contains functions and strings about:

  • Create/infect/terminate process.
  • Manipulate processes.

DLL/Resource Handling

This category contains functions and strings about:

  • Deal with DLL files and other malware resource files.
  • Infect and manipulate DLL files.

The ability to hide

This category contains functions and strings about:

  • Manipulate Windows security policies and bypass restrictions.
  • Detect debuggers and perform hidden tricks from anti-virus software

System

This category contains functions and strings about:

  • Executing system commands.
  • Working with system files

COMObject

This category contains functions and strings about:

  • Microsoft’s Component Object Model system

Encode

This category contains functions and strings about:

  • Encrypt and decrypt files.
  • Generate and destroy hashes.

Collect information

This category contains functions and strings about:

  • Collect all information from the destination server. Like process state, network device, etc

Keyboard/Keylogging

This category contains functions and strings about:

  • Monitor the keyboard of the infected machine.
  • Collect information about the keyboard
  • Manage input methods, etc.

Memory management

This category contains functions and strings about:

  • Manipulating and using target machine memory.

Leave a Reply