SYMBOLCOMMON_NAMEaka. SYNONYMS
win.juicy_potato (Back to overview)

JuicyPotato

VTCollection    

As described on the Github repository page, "A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM".

References
2025-05-27Trend MicroJoseph C Chen
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
BypassBoss Cobalt Strike JuicyPotato PULSEPACK STOWAWAY VShell Earth Lamia
2025-03-20Cisco TalosAsheer Malhotra, Brandon White, Jungsoo An, Vitor Ventura
UAT-5918 targets critical infrastructure entities in Taiwan
ShortLeash LaZagne JuicyPotato Meterpreter MimiKatz ShortLeash UAT-5918
2025-01-23AhnLabASEC
RID Hijacking Technique Utilized by Andariel Attack Group
CreateHiddenAccount JuicyPotato
2024-05-23Palo Alto Networks Unit 42Daniel Frank, Lior Rochberger
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter CL-STA-0043
2022-08-25SentinelOneJim Walter
BlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar
BlueSky Cobalt Strike JuicyPotato
2022-01-17Trend MicroCedric Pernet, Daniel Lunghi, Gloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu
Delving Deep: An Analysis of Earth Lusca’s Operations
BIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca
2021-08-09ESET ResearchZuzana Hromcová
IISpy: A complex server‑side backdoor with anti‑forensic features
IISpy JuicyPotato
2020-05-01LIFARSLIFARS
XMRig-based CoinMinersby Blue Mockingbird Threat Actor
JuicyPotato
2019-01-14Github (ohpe)OHPE
Juicy Potato (abusing the golden privileges)
JuicyPotato
Yara Rules
[TLP:WHITE] win_juicy_potato_auto (20260504 | Detects win.juicy_potato.)
rule win_juicy_potato_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.juicy_potato."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883ec20 488d05c3d20100 488bd9 488901 }
            // n = 4, score = 100
            //   4883ec20             | dec                 eax
            //   488d05c3d20100       | arpl                di, bx
            //   488bd9               | dec                 eax
            //   488901               | lea                 ecx, [0x445a4]

        $sequence_1 = { 488b8b20010000 e8???????? 488db328010000 bd06000000 488d7b38 488d05aecf0300 483947f0 }
            // n = 7, score = 100
            //   488b8b20010000       | mov                 dword ptr [ecx], eax
            //   e8????????           |                     
            //   488db328010000       | test                dl, 1
            //   bd06000000           | je                  0x54
            //   488d7b38             | mov                 edx, 8
            //   488d05aecf0300       | dec                 eax
            //   483947f0             | sub                 esp, 0x20

        $sequence_2 = { 57 4883ec20 418be8 4c8d0d52090300 }
            // n = 4, score = 100
            //   57                   | lea                 eax, [0xffff3335]
            //   4883ec20             | mov                 dword ptr [esp + 0x40], edx
            //   418be8               | dec                 eax
            //   4c8d0d52090300       | mov                 dword ptr [esp + 0x48], eax

        $sequence_3 = { 488907 488d057f740100 48894710 33c0 80a727010000fc 48898700010000 48898708010000 }
            // n = 7, score = 100
            //   488907               | dec                 eax
            //   488d057f740100       | sub                 edx, 1
            //   48894710             | inc                 ecx
            //   33c0                 | sub                 ecx, dword ptr [eax + 0x20]
            //   80a727010000fc       | mov                 eax, ecx
            //   48898700010000       | je                  0x2d
            //   48898708010000       | inc                 ecx

        $sequence_4 = { 4885c0 7509 488d0527200400 eb04 }
            // n = 4, score = 100
            //   4885c0               | dec                 eax
            //   7509                 | lea                 edx, [0x33b8e]
            //   488d0527200400       | dec                 eax
            //   eb04                 | mov                 ecx, ebx

        $sequence_5 = { 488d4b30 4c8bc3 488d15075bffff e8???????? 488b5b28 }
            // n = 5, score = 100
            //   488d4b30             | dec                 esp
            //   4c8bc3               | lea                 esi, [0x2ae4a]
            //   488d15075bffff       | dec                 eax
            //   e8????????           |                     
            //   488b5b28             | mov                 dword ptr [eax + 0x20], esi

        $sequence_6 = { 488bc8 488d152e9c0100 ff15???????? 4885c0 0f842c030000 488bc8 }
            // n = 6, score = 100
            //   488bc8               | mov                 dword ptr [ecx + 8], eax
            //   488d152e9c0100       | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | lea                 eax, [0x34adc]
            //   0f842c030000         | dec                 eax
            //   488bc8               | mov                 dword ptr [ecx], eax

        $sequence_7 = { 83f8ff 7504 32c0 eb1b 488d15fa8a0400 8bc8 }
            // n = 6, score = 100
            //   83f8ff               | dec                 eax
            //   7504                 | mov                 ebx, dword ptr [eax + 0x98]
            //   32c0                 | dec                 eax
            //   eb1b                 | lea                 edx, [0x33b82]
            //   488d15fa8a0400       | dec                 eax
            //   8bc8                 | mov                 ecx, ebx

        $sequence_8 = { 488d0d41240400 e8???????? 488d45f0 4889442428 89742420 4c8bcf 4c8d0595efffff }
            // n = 7, score = 100
            //   488d0d41240400       | mov                 dword ptr [eax + 8], ecx
            //   e8????????           |                     
            //   488d45f0             | dec                 eax
            //   4889442428           | mov                 dword ptr [eax + 0x10], ecx
            //   89742420             | dec                 eax
            //   4c8bcf               | mov                 dword ptr [eax + 0x18], ecx
            //   4c8d0595efffff       | dec                 eax

        $sequence_9 = { 4889442430 488d542468 c744242801000000 4533c0 33c9 48895c2420 }
            // n = 6, score = 100
            //   4889442430           | lea                 ecx, [esp + 0x88]
            //   488d542468           | nop                 
            //   c744242801000000     | dec                 eax
            //   4533c0               | lea                 edx, [0x23436]
            //   33c9                 | dec                 eax
            //   48895c2420           | lea                 ecx, [esp + 0x40]

    condition:
        7 of them and filesize < 736256
}
[TLP:WHITE] win_juicy_potato_w0   (20200624 | No description)
rule win_juicy_potato_w0 {
    meta:
        author = "SpiderLabs"
        source = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/copy-paste-threat-actor-in-the-asia-pacific-region/"
        group = "copy_paste"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato"
        malpedia_version = "20200624"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str1 = "JuicyPotato" nocase wide ascii
        $str2 = "4991d34b-80a1-4291-83b6-3328366b9097" nocase wide ascii
        $str3 = "JuicyPotato.pdb" nocase wide ascii
        $str4 = "Waiting for auth" nocase wide ascii
    condition:        
        (uint16(0) == 0x5A4D) and 3 of ($str*) and filesize < 500KB
}
[TLP:WHITE] win_juicy_potato_w1   (20200624 | No description)
rule win_juicy_potato_w1 {
    meta:
        author = "SpiderLabs"
        source = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/copy-paste-threat-actor-in-the-asia-pacific-region/"
        group = "copy_paste"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato"
        malpedia_version = "20200624"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str1 = "Potato.dll" nocase wide ascii
        $str2 = "VirusDeleted" nocase wide ascii
        $str3 = "Page404r" nocase wide ascii
    condition:        
        (uint16(0) == 0x5A4D) and all of them and filesize < 200KB
}
Download all Yara Rules