JuicyPotato (Malware Family)

JuicyPotato

VTCollection

As described on the Github repository page, "A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM".

References

2024-05-23 ⋅ Palo Alto Networks Unit 42 ⋅ Daniel Frank, Lior Rochberger
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter

2022-08-25 ⋅ SentinelOne ⋅ Jim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato

2022-01-17 ⋅ Trend Micro ⋅ Cedric Pernet, Daniel Lunghi, Gloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca

2021-08-09 ⋅ ESET Research ⋅ Zuzana Hromcová
IISpy: A complex server‑side backdoor with anti‑forensic features
IISpy JuicyPotato

2020-05-01 ⋅ LIFARS ⋅ LIFARS
XMRig-based CoinMinersby Blue Mockingbird Threat Actor
JuicyPotato

2019-01-14 ⋅ Github (ohpe) ⋅ OHPE
Juicy Potato (abusing the golden privileges)
JuicyPotato

Yara Rules

[TLP:WHITE] win_juicy_potato_auto (20230808 | Detects win.juicy_potato.)

rule win_juicy_potato_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.juicy_potato."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b5010 498b4910 48ffc9 488bc2 48d1e8 4823c8 }
            // n = 6, score = 100
            //   488b5010             | dec                 eax
            //   498b4910             | mov                 dword ptr [ecx], eax
            //   48ffc9               | test                dl, 1
            //   488bc2               | je                  0xf0
            //   48d1e8               | dec                 eax
            //   4823c8               | sub                 esp, 0x20

        $sequence_1 = { 4053 4883ec20 488bd9 488bc2 488d0dade40100 48890b 488d5308 }
            // n = 7, score = 100
            //   4053                 | mov                 dword ptr [esp + 0x20], ebx
            //   4883ec20             | lea                 ecx, [edi + 1]
            //   488bd9               | mov                 dword ptr [esp + 0x28], 0x22
            //   488bc2               | mov                 dword ptr [esp + 0x20], 0x12
            //   488d0dade40100       | movsd               qword ptr [esp + 0x78], xmm1
            //   48890b               | dec                 eax
            //   488d5308             | lea                 ecx, [0xad64]

        $sequence_2 = { 488d5e08 488b03 6683382d 0f8598010000 0fb74002 83c09f }
            // n = 6, score = 100
            //   488d5e08             | dec                 eax
            //   488b03               | lea                 edx, [ebx + 8]
            //   6683382d             | xor                 ecx, ecx
            //   0f8598010000         | dec                 eax
            //   0fb74002             | mov                 ebx, ecx
            //   83c09f               | dec                 eax

        $sequence_3 = { 4889450f 4883c8ff 488955ff 488bc8 }
            // n = 4, score = 100
            //   4889450f             | dec                 eax
            //   4883c8ff             | add                 esp, 0x48
            //   488955ff             | ret                 
            //   488bc8               | dec                 eax

        $sequence_4 = { 488bd7 4c8d05dec60300 83e23f 488bcf 48c1f906 48c1e206 498b0cc8 }
            // n = 7, score = 100
            //   488bd7               | lea                 eax, [0x27fab]
            //   4c8d05dec60300       | dec                 eax
            //   83e23f               | mov                 dword ptr [ecx], eax
            //   488bcf               | dec                 eax
            //   48c1f906             | mov                 eax, ecx
            //   48c1e206             | ret                 
            //   498b0cc8             | xor                 eax, eax

        $sequence_5 = { 48894728 4883f8ff 7437 448b4310 488b5320 488bc8 ff15???????? }
            // n = 7, score = 100
            //   48894728             | add                 esp, 0x20
            //   4883f8ff             | pop                 edi
            //   7437                 | ret                 
            //   448b4310             | inc                 eax
            //   488b5320             | push                ebx
            //   488bc8               | dec                 eax
            //   ff15????????         |                     

        $sequence_6 = { e8???????? ff15???????? b801000000 e9???????? 488b5c2438 4885db 7470 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ff15????????         |                     
            //   b801000000           | dec                 eax
            //   e9????????           |                     
            //   488b5c2438           | mov                 edi, edx
            //   4885db               | dec                 eax
            //   7470                 | mov                 esi, ecx

        $sequence_7 = { 488d15159c0100 ff15???????? 4885c0 0f8429030000 488bc8 e8???????? 488bcb }
            // n = 7, score = 100
            //   488d15159c0100       | mov                 dword ptr [esp + 0x18], esi
            //   ff15????????         |                     
            //   4885c0               | push                edi
            //   0f8429030000         | dec                 eax
            //   488bc8               | sub                 esp, 0x40
            //   e8????????           |                     
            //   488bcb               | mov                 ebp, ecx

        $sequence_8 = { 7509 488d056f200400 eb04 4883c024 8938 e8???????? 488d1d57200400 }
            // n = 7, score = 100
            //   7509                 | dec                 eax
            //   488d056f200400       | lea                 edx, [ebx + 8]
            //   eb04                 | xor                 ecx, ecx
            //   4883c024             | dec                 eax
            //   8938                 | mov                 dword ptr [edx], ecx
            //   e8????????           |                     
            //   488d1d57200400       | dec                 eax

        $sequence_9 = { ff15???????? ba10000000 663bc2 7312 488bd3 488d0d6df80200 ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   ba10000000           | sub                 esp, 0x20
            //   663bc2               | mov                 ebx, ecx
            //   7312                 | dec                 esp
            //   488bd3               | lea                 ecx, [0x30a09]
            //   488d0d6df80200       | mov                 ecx, 6
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 736256
}

[TLP:WHITE] win_juicy_potato_w0 (20200624 | No description)

rule win_juicy_potato_w0 {
    meta:
        author = "SpiderLabs"
        source = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/copy-paste-threat-actor-in-the-asia-pacific-region/"
        group = "copy_paste"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato"
        malpedia_version = "20200624"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str1 = "JuicyPotato" nocase wide ascii
        $str2 = "4991d34b-80a1-4291-83b6-3328366b9097" nocase wide ascii
        $str3 = "JuicyPotato.pdb" nocase wide ascii
        $str4 = "Waiting for auth" nocase wide ascii
    condition:        
        (uint16(0) == 0x5A4D) and 3 of ($str*) and filesize < 500KB
}

[TLP:WHITE] win_juicy_potato_w1 (20200624 | No description)

rule win_juicy_potato_w1 {
    meta:
        author = "SpiderLabs"
        source = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/copy-paste-threat-actor-in-the-asia-pacific-region/"
        group = "copy_paste"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato"
        malpedia_version = "20200624"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str1 = "Potato.dll" nocase wide ascii
        $str2 = "VirusDeleted" nocase wide ascii
        $str3 = "Page404r" nocase wide ascii
    condition:        
        (uint16(0) == 0x5A4D) and all of them and filesize < 200KB
}

Download all Yara Rules

JuicyPotato Propose Change

References

Yara Rules

JuicyPotato