S0107 Cherry Picker
Cherry Picker is a point of sale (PoS) memory scraper. 1
| Item | Value |
|---|---|
| ID | S0107 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.010 | AppInit DLLs | Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows “AppInit_DLLs”=”pserver32.dll”1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Cherry Picker exfiltrates files over FTP.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Recent versions of Cherry Picker delete files and registry keys created by the malware.1 |