mace 0.1.3

Automated extration of malware configuration, focusing on C2 communication
mace-0.1.3 is not a library.

MACE (MAlware Configuration Extrator)

Crate Documentation License

Description

This project aims to provide functionality for the automated extraction of malware configuration from samples. The extracted information is focused on the C2 communication of the sample. This includes hardcoded domains and IPs and parameters of used Domain Generation Algorithms.

Installation

  • From crates.io with cargo
    cargo install mace
    
  • From git
    cargo install --git https://github.com/0x6e66/mace
    
    or
    git clone https://github.com/0x6e66/mace.git
    cargo install --path mace
    
  • Or run without installation
    git clone https://github.com/0x6e66/mace.git
    cd mace
    cargo run -- --help
    

Supported malware families

Note: Automatic classification of malware families is not yet implemented

Example usage

Analyzing the DMSniff sample f4be1b8d67e33c11789d151d288130254d346ecc0f4738a12ce3a34d86ec646d

$ mace direct -f dm-sniff sample.exe | jq
{
  "header": {
    "sha256_of_sample": "f4be1b8d67e33c11789d151d288130254d346ecc0f4738a12ce3a34d86ec646d",
    "datetime_of_extraction": "2025-03-31T18:27:17.391055677+02:00",
    "extractor_used": "DMSniff"
  },
  "data": {
    "hardcoded_ips": [],
    "hardcoded_domains": [],
    "dga_parameters": {
      "number_sequences": {
        "primes": [
          5,
          3,
          1,
          7,
          13,
          11
        ]
      },
      "string_sequences": {
        "tlds": [
          ".com",
          ".org",
          ".net",
          ".ru",
          ".in"
        ]
      },
      "strings": {
        "prefix": "st"
      },
      "magic_numbers": {
        "counter": 50
      }
    }
  }
}

Todo

  • Implement automated classification of malware families