macOS Analysis Report
DiskMaker_X_9.dmg

ID:	756104
Product:	CloudBasic
Start time:	16:37:54
Start date:	29.11.2022
Sample:	DiskMaker_X_9.dmg
Cookbook:	defaultmacfilecookbook.jbs
System description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Architecture:	MAC
MD5:	d575c6a40278340f092a6fc4e26e4d11
SHA1:	87d92610155135621014afefa88d8b6c9ad5f0ed
SHA256:	96845cd375543401b822fb4e17d2ecc300fcb621f56afcdad613ae11c9afddce
Filetype:	Disk Image (Macintosh), bzip2 (12509/2) 80.61%

Name	Type	MD5	SHA1	SHA256
/Users/berri/Library/Logs/DiskMakerX.log	ASCII text	5456759709FDB066DD6FC29CA0751702	0253BE8E7FF5EE7F6AD9F01F95F6988E6525DF38	9E7B97BCE2F45EA25FE4BE592806D7EAE6C71356CD865C49974AC52A36EF7331
/dev/null	ASCII text	902395083896E7D5B0D0C4280499D7C3	C8702D829D55507A55A9C7DA21BD7E76679966D3	4CD214575863D93C3DFAD5376B7D1E5CD60C0FC8E6CF0C8EE06D9BB0FF3F865F

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.3.109.8
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.3.109.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: DiskMaker_X_9.dmg	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://crl.apple.com/root.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: DiskMaker_X_9.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: DiskMaker_X_9.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://www.apple.com/appleca0
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: applet, 00000893.00000288.1.0000000105736000.00000001058ef000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown

DNS traffic detected: queries for: diskmakerx.com

Source: global traffic

HTTP traffic detected: GET /CurrentLDMVersion HTTP/1.1Host: diskmakerx.comUser-Agent: curl/7.54.0Accept: */*

System Summary

Source: classification engine

Classification label: clean8.macDMG@0/9@1/0

Persistence and Installation Behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist			Jump to behavior

Source: /bin/sh (PID: 923)

Grep executable: /usr/bin/grep -> grep -v Library

Jump to behavior

Source: /bin/sh (PID: 917)

Ps executable: /bin/ps -> ps auxc

Jump to behavior

Source: /bin/sh (PID: 919)

Curl executable: /usr/bin/curl -> curl http://diskmakerx.com/CurrentLDMVersion

Jump to behavior

Source: /usr/bin/open (PID: 892)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 894)	Shell command executed: sh -c echo $HOME			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 895)	Shell command executed: sh -c touch '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 896)	Shell command executed: sh -c echo '--------------------------------------------------------------------------------' >> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 897)	Shell command executed: sh -c date >> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 899)	Shell command executed: sh -c echo 'Home Path: ' '/Users/berri'>> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 900)	Shell command executed: sh -c defaults read NSGlobalDomain AppleLanguages			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 901)	Shell command executed: sh -c echo 'Current Language: ' en-CH>> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 902)	Shell command executed: sh -c sw_vers -productVersion | cut -c 1-4			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 905)	Shell command executed: sh -c sw_vers -productVersion | cut -c 4-4			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 908)	Shell command executed: sh -c sw_vers -productVersion | cut -c 1-5			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 911)	Shell command executed: sh -c sw_vers -productVersion | cut -c 4-5			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 914)	Shell command executed: sh -c echo 'Current OS: ' 10.13>> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 915)	Shell command executed: sh -c id -G			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 916)	Shell command executed: sh -c echo 'Is this user an admin : ' true>> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 917)	Shell command executed: sh -c ps auxc			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 918)	Shell command executed: sh -c echo 'Path Finder launched : ' false>> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 919)	Shell command executed: sh -c curl http://diskmakerx.com/CurrentLDMVersion			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 920)	Shell command executed: sh -c echo 'Selected OS: ' 10.15>> '/Users/berri'/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 921)	Shell command executed: sh -c mdfind -name 'Install macOS Catalina' | grep -v Library | head -1			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 925)	Shell command executed: sh -c echo '' | wc -l			Jump to behavior

Source: /bin/sh (PID: 895)

Touch executable: /usr/bin/touch -> touch /Users/berri/Library/Logs/DiskMakerX.log

Jump to behavior

Source: /bin/sh (PID: 895)	Shell process: touch /Users/berri/Library/Logs/DiskMakerX.log			Jump to behavior
Source: /bin/sh (PID: 898)	Shell process: date			Jump to behavior
Source: /bin/sh (PID: 900)	Shell process: defaults read NSGlobalDomain AppleLanguages			Jump to behavior
Source: /bin/sh (PID: 903)	Shell process: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 904)	Shell process: cut -c 1-4			Jump to behavior
Source: /bin/sh (PID: 906)	Shell process: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 907)	Shell process: cut -c 4-4			Jump to behavior
Source: /bin/sh (PID: 909)	Shell process: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 910)	Shell process: cut -c 1-5			Jump to behavior
Source: /bin/sh (PID: 912)	Shell process: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 913)	Shell process: cut -c 4-5			Jump to behavior
Source: /bin/sh (PID: 915)	Shell process: id -G			Jump to behavior
Source: /bin/sh (PID: 917)	Shell process: ps auxc			Jump to behavior
Source: /bin/sh (PID: 919)	Shell process: curl http://diskmakerx.com/CurrentLDMVersion			Jump to behavior
Source: /bin/sh (PID: 922)	Shell process: mdfind -name Install macOS Catalina			Jump to behavior
Source: /bin/sh (PID: 923)	Shell process: grep -v Library			Jump to behavior
Source: /bin/sh (PID: 924)	Shell process: head -1			Jump to behavior
Source: /bin/sh (PID: 927)	Shell process: wc -l			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

Random device file read: /dev/random

Jump to behavior

Source: /bin/sh (PID: 896)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/date (PID: 898)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 899)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 901)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 914)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 916)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 918)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 920)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log			Jump to dropped file

Source: submission

CodeSign Info: Executable=/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet

HIPS / PFW / Operating System Protection Evasion

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Language, Device and Operating System Detection

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 894)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 895)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 896)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 897)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 899)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 900)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 901)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 902)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 905)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 908)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 911)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 914)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 915)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 916)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 917)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 918)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 919)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 920)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 921)	Sysctl requested: kern.hostname (1.10)			Jump to behavior
Source: /bin/sh (PID: 925)	Sysctl requested: kern.hostname (1.10)			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

Sysctl read request: kern.osversion (1.65)

Jump to behavior

Source: /bin/sh (PID: 903)	sw_vers executed: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 906)	sw_vers executed: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 909)	sw_vers executed: sw_vers -productVersion			Jump to behavior
Source: /bin/sh (PID: 912)	sw_vers executed: sw_vers -productVersion			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl read request: hw.availcpu (6.25)			Jump to behavior
Source: /bin/ps (PID: 917)	Sysctl read request: hw.memsize (6.24)			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /usr/bin/open (PID: 892)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/sw_vers (PID: 903)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/sw_vers (PID: 906)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/sw_vers (PID: 909)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/sw_vers (PID: 912)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: /bin/sh (PID: 900)

Defaults executable: /usr/bin/defaults defaults read NSGlobalDomain AppleLanguages

Jump to behavior