Actually from this month I am getting error when I tried to run the script. about qu1cksc0pe HOT 10 CLOSED

Hello thank you for your feedback. According to error message pefile module says your .exe file is not valid. Did you checked its headers? If your answer is yes can you share that sample with me so I can check and fix the tool If DOS headers are actually correct

NOTE: By the way can you try to analyze another Windows executables?

from qu1cksc0pe.

Thanks for the quick response.
Hi even I tried one another excutables files still getting the same error.

1. For the file I want to analysis file is https://displaysolutions.samsung.com/support/resources/product-support/easy+setting+box if you to section download the software file I want scan that both files.
2. as you mention have you tired another excutbales I tried such Putty software that we commonly used still for that I was getting error below I will add the error I got for putty file scan some rules are working but getting error at the end here I will add whoe O/P in last thread I added only the error of that file

There is no function/API imports found.

Try --packer or --lang to see additional info about target file.

[*] Performing YARA rule matching...

Rule name: Big_Numbers0
┏━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 0x8272 │ b'C3344CC3344CC3344CC3' │
└────────┴─────────────────────────┘

Rule name: anti_dbg
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ 0x30b21c │ b'kernel32.dll' │
│ 0x30c568 │ b'kernel32.dll' │
│ 0x313688 │ b'KERNEL32.dll' │
│ 0x337b8e │ b'KERNEL32.dll' │
│ 0x313762 │ b'IsDebuggerPresent' │
│ 0x337d58 │ b'IsDebuggerPresent' │
└──────────┴──────────────────────┘

Rule name: disable_antivirus
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 0x31d02b │ b'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\' │
│ 0x312f36 │ b'RegSetValue' │
│ 0x337c1a │ b'RegSetValue' │
└──────────┴──────────────────────────────────────────────────────────────┘

Rule name: escalate_priv
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 0x312f46 │ b'ADVAPI32.dll' │
│ 0x337824 │ b'ADVAPI32.dll' │
│ 0x312dc2 │ b'AdjustTokenPrivileges' │
└──────────┴──────────────────────────┘

Rule name: win_registry
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ 0x312f46 │ b'ADVAPI32.dll' │
│ 0x337824 │ b'ADVAPI32.dll' │
│ 0x312e5a │ b'RegCloseKey' │
│ 0x3377f4 │ b'RegCloseKey' │
│ 0x312e5a │ b'RegCloseKey' │
│ 0x3377f4 │ b'RegCloseKey' │
└──────────┴─────────────────────┘

Rule name: win_token
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 0x312f46 │ b'ADVAPI32.dll' │
│ 0x337824 │ b'ADVAPI32.dll' │
│ 0x312dc2 │ b'AdjustTokenPrivileges' │
│ 0x312dae │ b'OpenProcessToken' │
└──────────┴──────────────────────────┘

Rule name: win_files_operation
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ 0x30b21c │ b'kernel32.dll' │
│ 0x30c568 │ b'kernel32.dll' │
│ 0x313688 │ b'KERNEL32.dll' │
│ 0x337b8e │ b'KERNEL32.dll' │
│ 0x31324e │ b'WriteFile' │
│ 0x337aae │ b'WriteFile' │
│ 0x313324 │ b'SetFilePointer' │
│ 0x31349e │ b'SetFilePointer' │
│ 0x337f8e │ b'SetFilePointer' │
│ 0x31324e │ b'WriteFile' │
│ 0x337aae │ b'WriteFile' │
│ 0x313492 │ b'ReadFile' │
│ 0x3131e2 │ b'FindClose' │
└──────────┴─────────────────────┘

Rule name: Embedded_PE
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓
┃ Offset ┃ Matched String/Byte ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩
│ 0x19f16 │ b'MZ' │
│ 0x20ccb │ b'MZ' │
│ 0x2450d │ b'MZ' │
│ 0x30f2c │ b'MZ' │
│ 0x38d9d │ b'MZ' │
│ 0x5993a │ b'MZ' │
│ 0x5fcbe │ b'MZ' │
│ 0x69711 │ b'MZ' │
│ 0x6a0c5 │ b'MZ' │
│ 0x79f3a │ b'MZ' │
│ 0x95bb0 │ b'MZ' │
│ 0xa081b │ b'MZ' │
│ 0xa2713 │ b'MZ' │
│ 0xaf06e │ b'MZ' │
│ 0xb0503 │ b'MZ' │
│ 0xba323 │ b'MZ' │
│ 0xd3290 │ b'MZ' │
│ 0xe778d │ b'MZ' │
│ 0xf5aa1 │ b'MZ' │
│ 0x11a87f │ b'MZ' │
│ 0x1286a2 │ b'MZ' │
│ 0x145da0 │ b'MZ' │
│ 0x146a95 │ b'MZ' │
│ 0x1503e8 │ b'MZ' │
│ 0x15371d │ b'MZ' │
│ 0x15488f │ b'MZ' │
│ 0x161342 │ b'MZ' │
│ 0x1677a5 │ b'MZ' │
│ 0x194664 │ b'MZ' │
│ 0x1c2402 │ b'MZ' │
│ 0x1d534a │ b'MZ' │
│ 0x207483 │ b'MZ' │
│ 0x20bff2 │ b'MZ' │
│ 0x236103 │ b'MZ' │
│ 0x258ada │ b'MZ' │
│ 0x265ad4 │ b'MZ' │
│ 0x271bf5 │ b'MZ' │
│ 0x27b0c4 │ b'MZ' │
│ 0x2930a6 │ b'MZ' │
│ 0x295bd4 │ b'MZ' │
│ 0x2a03bc │ b'MZ' │
│ 0x2a8906 │ b'MZ' │
│ 0x2b44b6 │ b'MZ' │
│ 0x2d42a5 │ b'MZ' │
│ 0x2e4800 │ b'MZ' │
│ 0x2f4a9f │ b'MZ' │
│ 0x2f9e62 │ b'MZ' │
│ 0x3031d7 │ b'MZ' │
│ 0x320600 │ b'MZ' │
│ 0x3234e6 │ b'MZ' │
│ 0x326f0f │ b'MZ' │
│ 0x330377 │ b'MZ' │
│ 0x37950d │ b'MZ' │
│ 0x37c08e │ b'MZ' │
└──────────┴─────────────────────┘

Traceback (most recent call last):
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 359, in
Analyzer()
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 276, in Analyzer
pe = pf.PE(fileName)
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 2895, in init
self.parse(name, data, fast_load)
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 3031, in parse
raise PEFormatError("DOS Header magic not found.")
pefile.PEFormatError: 'DOS Header magic not found.'
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 72, in apport_excepthook
from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/init.py", line 5, in
from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 32, in
import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 12, in
import os, glob, subprocess, os.path, time, pwd, sys, requests_unixsocket
File "/usr/lib/python3/dist-packages/requests_unixsocket/init.py", line 1, in
import requests
File "/usr/lib/python3/dist-packages/requests/init.py", line 95, in
from urllib3.contrib import pyopenssl
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in
import OpenSSL.SSL
File "/usr/lib/python3/dist-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

Original exception was:
Traceback (most recent call last):
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 359, in
Analyzer()
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 276, in Analyzer
pe = pf.PE(fileName)
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 2895, in init
self.parse(name, data, fast_load)
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 3031, in parse
raise PEFormatError("DOS Header magic not found.")
pefile.PEFormatError: 'DOS Header magic not found.'

from qu1cksc0pe.

Hmm looks like the yara rules find Windows API's but pefile or radare2 couldn't. I will check your binary and find out what is wrong. I checked your provided link there is 3 files in here 2 manual and 1 setup file. Did you analyze that .pdf files with --docs argument?

NOTE: --analyze argument won't work against document files

from qu1cksc0pe.

Hi thanks for quick response again.

I don't want analyze pdf file just want do the software file that is my requirement . so please check what is issue & let me know.
again thanks for prompt response :).

I don't know what is going wrong recently.

from qu1cksc0pe.

Okay then. I will check and fix that issue very soon. Thank you for your report :)

from qu1cksc0pe.

Hello again. I downloaded and analyzed the files your provided. Then I tried to check their headers and find out what is wrong. I saw these files are not actually windows executables. So this is why PEFormatError("DOS Header magic not found.") error occured.

After that I downloaded a malware sample from Malware Bazaar and running analysis against it and It worked.

Sample link: https://bazaar.abuse.ch/sample/7094cbca68bd05ba8068e7247cd8654e9603265a110adeaa30a604bf44efa078/

By the way I need to implement analysis techniques for CDF files.

from qu1cksc0pe.

Hello,

I understand the issue now and appreciate you clarifying the real problem. Thank you for bringing it to my attention.

I hope that in the future, support for this type of file can be added. It would be beneficial to have such support.

Regarding your questions:

Which alternative tool can I use for static analysis of this type of file?
I am new to this analysis field and would like to pursue further knowledge. Could you suggest a starting roadmap for me?

Thank you once again for your time and prompt response. I appreciate your dedication and hard work.

Keep up the good work!

from qu1cksc0pe.

Hello, I think I can recommend DidierStevens tools for analyze CDF files.
In malware analysis roadmap I think you should do:

• Learn various file structures (like PE, ELF etc.)
• You need to know C/C++/C# for understand decompiled code, malware source code etc.
• Assembly language and CPU architecture knowledge is very important
• Read papers on the vx-underground to learn analysis and development techniques
• Read "Practical Malware Analysis" book I am very recommend it
• After understanding file structures, source code analysis etc. you need to do a lot of practice. You can find malware samples from MalwareBazaar, theZoo, VX-underground etc.
• Also google and GPT can help you a lot

Thank you for your comments. I hope it will be helpfull :)

from qu1cksc0pe.

Thank you for your valuable comments and recommendations. I really appreciate your input. Based on your suggestions, I will explore DidierStevens tools for analyzing CDF files.

In terms of the malware analysis roadmap, your insights are highly valuable.
Once again, thank you for sharing these insights.
Your contribution is greatly appreciated.

from qu1cksc0pe.

Thank you very much and you're welcome :)

from qu1cksc0pe.