mace
| Crates.io | mace |
| lib.rs | mace |
| version | 0.1.3 |
| created_at | 2025-03-31 21:35:45.919783+00 |
| updated_at | 2025-07-31 09:52:48.160253+00 |
| description | Automated extration of malware configuration, focusing on C2 communication |
| homepage | https://github.com/0x6e66/mace |
| repository | https://github.com/0x6e66/mace |
| max_upload_size | |
| id | 1614039 |
| size | 141,272 |
Niklas Frondorf (0x6e66)
documentation
https://docs.rs/crate/mace/latest
README
MACE (MAlware Configuration Extrator)
Description
This project aims to provide functionality for the automated extraction of malware configuration from samples. The extracted information is focused on the C2 communication of the sample. This includes hardcoded domains and IPs and parameters of used Domain Generation Algorithms.
Installation
-
From crates.io with cargo
cargo install mace -
From git
cargo install --git https://github.com/0x6e66/maceor
git clone https://github.com/0x6e66/mace.git cargo install --path mace -
Or run without installation
git clone https://github.com/0x6e66/mace.git cd mace cargo run -- --help
Supported malware families
Note: Automatic classification of malware families is not yet implemented
Example usage
Analyzing the DMSniff sample f4be1b8d67e33c11789d151d288130254d346ecc0f4738a12ce3a34d86ec646d
$ mace direct -f dm-sniff sample.exe | jq
{
"header": {
"sha256_of_sample": "f4be1b8d67e33c11789d151d288130254d346ecc0f4738a12ce3a34d86ec646d",
"datetime_of_extraction": "2025-03-31T18:27:17.391055677+02:00",
"extractor_used": "DMSniff"
},
"data": {
"hardcoded_ips": [],
"hardcoded_domains": [],
"dga_parameters": {
"number_sequences": {
"primes": [
5,
3,
1,
7,
13,
11
]
},
"string_sequences": {
"tlds": [
".com",
".org",
".net",
".ru",
".in"
]
},
"strings": {
"prefix": "st"
},
"magic_numbers": {
"counter": 50
}
}
}
}
Todo
- Implement automated classification of malware families