MACE (MAlware Configuration Extrator)

Description

This project aims to provide functionality for the automated extraction of malware configuration from samples. The extracted information is focused on the C2 communication of the sample. This includes hardcoded domains and IPs and parameters of used Domain Generation Algorithms.

Installation

• From crates.io with cargo

  cargo install mace

• From git

  cargo install --git https://github.com/0x6e66/mace

  or

  git clone https://github.com/0x6e66/mace.git
  cargo install --path mace

• Or run without installation

  git clone https://github.com/0x6e66/mace.git
  cd mace
  cargo run -- --help

Supported malware families

Note: Automatic classification of malware families is not yet implemented

• Coper
• DMSniff
• MetaStealer

Example usage

Analyzing the DMSniff sample f4be1b8d67e33c11789d151d288130254d346ecc0f4738a12ce3a34d86ec646d

$ mace direct -f dm-sniff sample.exe | jq
{
  "header": {
    "sha256_of_sample": "f4be1b8d67e33c11789d151d288130254d346ecc0f4738a12ce3a34d86ec646d",
    "datetime_of_extraction": "2025-03-31T18:27:17.391055677+02:00",
    "extractor_used": "DMSniff"
  },
  "data": {
    "hardcoded_ips": [],
    "hardcoded_domains": [],
    "dga_parameters": {
      "number_sequences": {
        "primes": [
          5,
          3,
          1,
          7,
          13,
          11
        ]
      },
      "string_sequences": {
        "tlds": [
          ".com",
          ".org",
          ".net",
          ".ru",
          ".in"
        ]
      },
      "strings": {
        "prefix": "st"
      },
      "magic_numbers": {
        "counter": 50
      }
    }
  }
}

Todo

• Implement automated classification of malware families