Cherry Picker is a point of sale (PoS) memory scraper. [1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1546 | .010 | Event Triggered Execution: AppInit DLLs |
Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Cherry Picker exfiltrates files over FTP.[1] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Recent versions of Cherry Picker delete files and registry keys created by the malware.[1] |