MachineMania

MachineMania (distributed as MachineMania.exe) is payload that steals cookies and password combinations from the Google Chrome browser. While it has been seen distributed as a standalone executable, it is most often found as a second-stage payload^[1] of the Node Bootstrapper malware.

MachineMania.exe
Language	Python
Obfuscation	PyArmor (Super Mode)
Behvaior	Browser secrets
Lasting Effects	None observed
Send Method	Discord Webhook (through run argument)

Appearances

Distributions

MachineMania.exe has been distributed as a standalone executable, but has also been called as an additional payload in distributions of the Node Bootstrapper executable.

Internals

Obfuscation

The executable is made with PyInstaller and obfuscated with PyArmor in Super Mode.

Behavior

MachineMania.exe will silently run in the background and collect password and cookies from the Google Chrome browser only, although other Chromium browsers do not seem to be affected as its scope is deliberately cut by what appears to be a paywall.

The message sent to the malware operator via a Discord webhook

Lasting Effects

MachineMania has not been observed to leave any lasting effects such as keyloggers or embedded JavaScript. After it has sent its stolen data, it will simply close itself. If it cannot find Chrome, it will crash.

References

↑ Writeup of the NodeJS Single Executable worm

[1] Writeup of the NodeJS Single Executable worm

[1]