Skip to content

S0107 Cherry Picker

Cherry Picker is a point of sale (PoS) memory scraper. 1

Item Value
ID S0107
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1546 Event Triggered Execution -
enterprise T1546.010 AppInit DLLs Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows “AppInit_DLLs”=”pserver32.dll”1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Cherry Picker exfiltrates files over FTP.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Recent versions of Cherry Picker delete files and registry keys created by the malware.1


Back to top