Malware
JuicyPotato
IoCs CSV
1 YARA rule
As described on the Github repository page, "A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM".
Indicators of Compromise 13
Filename MyAppDomainManager.dll Filename PerfWatson2.exe Filename chrome_setup.zip SHA-256 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c SHA-256 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384 SHA-256 9b481b69cd91b09fa7bae7428f646dd89473a4c03393e43da81fe756cde1c472 SHA-256 cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3 SHA-256 dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b SHA-256 f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1 IP 139.180.134.221 IP 202.182.102.5 IP 45.32.113.172 IP 45.76.210.43
MITRE ATT&CK TTPs 10
T1003 T1021 T1055.003 T1059.001 T1071.001 T1074 T1082 T1110 T1212 T1485
OS Credential Dumping
Credential Access
Remote Services
Lateral Movement
Thread Execution Hijacking
Defense Evasion
PowerShell
Execution
Web Protocols
Command And Control
Data Staged
Collection
System Information Discovery
Discovery
Brute Force
Credential Access
Exploitation for Credential Access
Credential Access
Data Destruction
Impact
YARA Detection Rules
JuicyPotato_YARA_Detection
yara ai_generated
rule JuicyPotato_Detection {
meta:
description = "Detects JuicyPotato privilege escalation exploit based on behavioral characteristics and known artifacts"
author = "AI Generated"
confidence = "high"
reference = "ATT&CK T1212 - Abuse of Windows Token Manipulation"
category = "exploit"
strings:
$s1 = "CreateService" ascii wide
$s2 = "OpenSCManager" ascii wide
$s3 = "SetNamedSecurityInfo" ascii wide
$s4 = "GetCurrentUser" ascii wide
$s5 = "NT AUTHORITY\\SYSTEM" ascii wide
$s6 = "Token Manipulation" ascii wide
$s7 = "CreateProcessWithToken" ascii wide
$s8 = "advapi32.dll" ascii wide
$s9 = "SeDebugPrivilege" ascii wide
$s10 = "DuplicateToken" ascii wide
$x1 = "PerfWatson2.exe" ascii wide
$x2 = "AppDomainManager" ascii wide
$x3 = "MyAppDomainManager.dll" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 100KB and
(any of ($s*) or all of ($x*)) and
(pe.imphash() matches {
"f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1",
"dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b",
"cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3"
} or
md5(0, filesize) matches {
"00e09754526d0fe836ba27e3144ae161",
"4e1f8888d020decd09799ec946f1bf67"
})
} ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.