rule win_juicy_potato_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.juicy_potato." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4883ec20 488d05c3d20100 488bd9 488901 } // n = 4, score = 100 // 4883ec20 | dec eax // 488d05c3d20100 | arpl di, bx // 488bd9 | dec eax // 488901 | lea ecx, [0x445a4] $sequence_1 = { 488b8b20010000 e8???????? 488db328010000 bd06000000 488d7b38 488d05aecf0300 483947f0 } // n = 7, score = 100 // 488b8b20010000 | mov dword ptr [ecx], eax // e8???????? | // 488db328010000 | test dl, 1 // bd06000000 | je 0x54 // 488d7b38 | mov edx, 8 // 488d05aecf0300 | dec eax // 483947f0 | sub esp, 0x20 $sequence_2 = { 57 4883ec20 418be8 4c8d0d52090300 } // n = 4, score = 100 // 57 | lea eax, [0xffff3335] // 4883ec20 | mov dword ptr [esp + 0x40], edx // 418be8 | dec eax // 4c8d0d52090300 | mov dword ptr [esp + 0x48], eax $sequence_3 = { 488907 488d057f740100 48894710 33c0 80a727010000fc 48898700010000 48898708010000 } // n = 7, score = 100 // 488907 | dec eax // 488d057f740100 | sub edx, 1 // 48894710 | inc ecx // 33c0 | sub ecx, dword ptr [eax + 0x20] // 80a727010000fc | mov eax, ecx // 48898700010000 | je 0x2d // 48898708010000 | inc ecx $sequence_4 = { 4885c0 7509 488d0527200400 eb04 } // n = 4, score = 100 // 4885c0 | dec eax // 7509 | lea edx, [0x33b8e] // 488d0527200400 | dec eax // eb04 | mov ecx, ebx $sequence_5 = { 488d4b30 4c8bc3 488d15075bffff e8???????? 488b5b28 } // n = 5, score = 100 // 488d4b30 | dec esp // 4c8bc3 | lea esi, [0x2ae4a] // 488d15075bffff | dec eax // e8???????? | // 488b5b28 | mov dword ptr [eax + 0x20], esi $sequence_6 = { 488bc8 488d152e9c0100 ff15???????? 4885c0 0f842c030000 488bc8 } // n = 6, score = 100 // 488bc8 | mov dword ptr [ecx + 8], eax // 488d152e9c0100 | dec eax // ff15???????? | // 4885c0 | lea eax, [0x34adc] // 0f842c030000 | dec eax // 488bc8 | mov dword ptr [ecx], eax $sequence_7 = { 83f8ff 7504 32c0 eb1b 488d15fa8a0400 8bc8 } // n = 6, score = 100 // 83f8ff | dec eax // 7504 | mov ebx, dword ptr [eax + 0x98] // 32c0 | dec eax // eb1b | lea edx, [0x33b82] // 488d15fa8a0400 | dec eax // 8bc8 | mov ecx, ebx $sequence_8 = { 488d0d41240400 e8???????? 488d45f0 4889442428 89742420 4c8bcf 4c8d0595efffff } // n = 7, score = 100 // 488d0d41240400 | mov dword ptr [eax + 8], ecx // e8???????? | // 488d45f0 | dec eax // 4889442428 | mov dword ptr [eax + 0x10], ecx // 89742420 | dec eax // 4c8bcf | mov dword ptr [eax + 0x18], ecx // 4c8d0595efffff | dec eax $sequence_9 = { 4889442430 488d542468 c744242801000000 4533c0 33c9 48895c2420 } // n = 6, score = 100 // 4889442430 | lea ecx, [esp + 0x88] // 488d542468 | nop // c744242801000000 | dec eax // 4533c0 | lea edx, [0x23436] // 33c9 | dec eax // 48895c2420 | lea ecx, [esp + 0x40] condition: 7 of them and filesize < 736256 }