"The Enigma Files" Malware analysis
  • JavaScript 99.4%
  • Python 0.6%
Find a file
2026-05-02 18:03:58 -05:00
decrypted_layer.js init 2026-05-02 16:15:04 -05:00
deobfuscated.js init 2026-05-02 16:15:04 -05:00
layer2.deobfuscated.js more data 2026-05-02 18:03:58 -05:00
layer2.js init 2026-05-02 16:15:04 -05:00
layer3.py init 2026-05-02 16:15:04 -05:00
README.md more detail 2026-05-02 16:46:15 -05:00

Technical Analysis: Vexx Malware (layer2.deobfuscated.js)

TLDR

  • Compromised Software:
    • Browsers: Google Chrome, Google Chrome Beta, Google Chrome Dev, Microsoft Edge, Microsoft Edge Beta, Brave, Arc, Opera Stable, Opera GX, Vivaldi, Yandex, Yandex Browser, Sputnik, 7Star, CentBrowser, Chedot, CocCoc, CocCoc Browser, Elements Browser, Epic Privacy Browser, Kometa, Orbitum, PocketBrowser, Sleipnir5, Uran, Iridium, Chromium, Amigo, Torch, Naver Whale, Slimjet, Avast Secure Browser, Comodo Dragon, CCleaner Browser, CryptoTab Browser, Maxthon, Blisk, Firefox, Firefox Beta, Firefox Developer, Firefox ESR, Firefox Nightly, LibreWolf, Waterfox, Floorp, QQ Browser, 360 Speed, 360 Secure
    • Discord Clients: Discord, Discord Canary, Discord PTB, Discord Dev, Discord Staging, Lightcord, Vesktop, WebCord, BetterDiscord, Vencord, Replugged
    • Gaming Apps: Steam, Epic Games Launcher, Minecraft, Lunar Client, Battle.net, Riot Client, Ubisoft Connect, Electronic Arts, Origin, Roblox
    • Crypto Wallets: Exodus, Trust, Metamask, Coinbase, BinanceChain, Phantom, TronLink, Ronin, Coin98, Authenticator, MathWallet, YoroiWallet, GuardaWallet, JaxxLiberty, Wombat, EVERWallet, KardiaChain, XDEFI, Nami, TerraStation, MartianAptos, TON, Keplr, CryptoCom, PetraAptos, OKX, Sollet, Sender, Sui, SuietSui, Braavos, FewchaMove, EthosSui, ArgentX, NiftyWallet, BraveWallet, EqualWallet, BitAppWallet, iWallet, AtomicWallet, MewCx, GuildWallet, SaturnWallet, HarmonyWallet, PaliWallet, BoltX, LiqualityWallet, MaiarDeFiWallet, TempleWallet
    • Windows: Downloads a secondary executable payload (cold_*.exe) from a remote server, creates a hidden VBScript (open.vbs) in the temporary directory to execute payloads silently, installs a persistent VBScript (startup.vbs) into the Windows Startup folder to ensure it runs automatically upon user login, renames its service display name using the sc config command to masquerade as legitimate system processes like "Windows System Helper" or "Runtime Broker Service", silently downloads and installs a full Python 3.12 environment from official servers to enable its advanced data-harvesting scripts, and force-terminates then restarts system applications (such as Discord and Steam) to bypass file locks and intercept session data.

Overview

This document details the operational process and malicious functionalities of the Vexx malware, a sophisticated Node.js-based infostealer and dropper. The malware is designed to harvest credentials, tokens, session data, and financial information from compromised Windows systems. It utilizes a multi-stage approach, employing Node.js for initial execution, an embedded Python script for advanced browser forensics, and VBS scripts for persistence and secondary payload delivery.


Infection Lifecycle

1. Initialization and Evasion

Upon execution, the malware performs several steps to blend into the system and evade analysis:

  • Process Renaming: It attempts to change its service display name to common system strings such as "Windows System Helper" or "Runtime Broker Service" to deceive users viewing task managers.
  • Analysis Detection: It probes for standard system processes to identify if it is running in a controlled or sandboxed environment.
  • Dependency Management: The script checks for and silently installs necessary Python environments and libraries (pythonforwindows, pycryptodome) required for its advanced decryption modules.

2. System and Network Reconnaissance

The malware collects extensive metadata about the host environment:

  • Hardware Profiling: Captures CPU and GPU models, RAM capacity, disk sizes, and unique Hardware IDs (HWID).
  • Operating System Details: Records OS version, build numbers, kernel info, and system uptime.
  • Security Posture: Checks the status of Windows Defender, Firewalls, User Account Control (UAC), and identifies other installed antivirus products.
  • Network Intelligence: Resolves the victim's public IP address, ISP, and geographic location (City, Region, Country) using multiple public APIs.
  • Connectivity Recon: Extracts saved Wi-Fi profiles and plaintext passwords using system commands.

3. Credential and Token Harvesting

The primary goal of Vexx is the theft of digital identities:

  • Discord Exploitation: * Scans multiple Discord client directories (Stable, Canary, PTB, Development) and browsers.
    • Kills Discord processes to release file locks on databases.
    • Extracts authentication tokens from Local Storage and LevelDB files.
    • Uses the stolen tokens to query the Discord API for account details, including badges, billing methods, phone numbers, and a list of "High Quality" (HQ) friends or servers where the user has administrative privileges.
  • Browser Forensics (Passwords, Cookies, Credit Cards): * Targets over 30 Chromium and Gecko-based browsers (Chrome, Edge, Brave, Opera, Firefox, etc.).
    • Advanced Decryption: The malware includes an embedded Python script that performs LSASS (Local Security Authority Subsystem Service) impersonation. This allows it to bypass Windows "App-Bound Encryption" and decrypt sensitive data stored in newer versions of Chrome and Edge.
    • Extracts plaintext passwords, autofill data, bookmarks, browsing history, and credit card information.

4. Specialized Data Theft

Beyond general credentials, the malware targets specific high-value sectors:

  • Cryptocurrency Wallets: Scans for Exodus wallet data and over 50 different browser extensions for wallets like MetaMask, Coinbase, Binance, and Phantom. It attempts to steal seed files and local extension settings.
  • Gaming Accounts:
    • Steam: Kills the Steam process and zips the configuration files (containing session data and login users). It queries the Steam API to assess the value of the account (Level, Game Count).
    • Roblox: Specifically extracts .ROBLOSECURITY cookies. It uses these to check for Robux balances, Premium status, and rare virtual items (e.g., Headless Horseman, Korblox).
    • Minecraft: Steals launcher profiles and account settings for various clients like Lunar Client.
  • Session Harvesting: Targets session data for communication and productivity apps, including Telegram, WhatsApp Desktop, Signal, Zoom, and various game launchers (Epic Games, Riot, Ubisoft, EA, Battle.net).

5. File System Scavenging

The malware searches common user directories (Desktop, Downloads, Documents) for specific sensitive files, such as those containing "discord_backup_codes".

6. Exfiltration

Stolen data is bundled into encrypted ZIP archives and exfiltrated:

  • Primary Channel: Data is sent via HTTP POST requests to attacker-controlled Discord Webhooks.
  • Large File Handling: If a ZIP archive exceeds Discord's attachment limit, the malware automatically uploads the file to anonymous hosting services like Gofile or TmpFiles and sends the link to the webhook instead.

7. Secondary Payload and Persistence

The malware ensures long-term access and additional infection:

  • Dropper Functionality: It downloads a secondary executable payload from a hardcoded server (api.cutlayout.net).
  • VBS Execution: It generates and executes VBScript files to launch the secondary payload silently in the background.
  • Persistence: It copies a VBS startup script into the Windows "Startup" folder, ensuring the malware or its secondary payload executes every time the user logs in.

Malicious Infrastructure

  • C2 Server: api.cutlayout.net
  • Exfiltration Points: Discord Webhooks (hardcoded)
  • Hosting Fallbacks: Gofile.io, Tmpfiles.org, Placehold.co (for tracking/image generation)
  • Telegram: https://t.me/VexxProject/