IOC Report
DiskMaker_X_9.dmg

loading gif

Files

File Path
Type
Category
Malicious
DiskMaker_X_9.dmg
bzip2 compressed data, block size = 100k
initial sample
/Users/berri/Library/Logs/DiskMakerX.log
ASCII text
dropped
/dev/null
ASCII text
dropped

Processes

Path
Cmdline
Malicious
/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
n/a
/usr/bin/open
/usr/libexec/xpcproxy
n/a
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo $HOME
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c touch '/Users/berri'/Library/Logs/DiskMakerX.log
/usr/bin/touch
touch /Users/berri/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo '--------------------------------------------------------------------------------' >> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c date >> '/Users/berri'/Library/Logs/DiskMakerX.log
/bin/sh
n/a
/bin/date
date
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo 'Home Path: ' '/Users/berri'>> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c defaults read NSGlobalDomain AppleLanguages
/usr/bin/defaults
defaults read NSGlobalDomain AppleLanguages
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo 'Current Language: ' en-CH>> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c sw_vers -productVersion | cut -c 1-4
/bin/sh
n/a
/usr/bin/sw_vers
sw_vers -productVersion
/bin/sh
n/a
/usr/bin/cut
cut -c 1-4
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c sw_vers -productVersion | cut -c 4-4
/bin/sh
n/a
/usr/bin/sw_vers
sw_vers -productVersion
/bin/sh
n/a
/usr/bin/cut
cut -c 4-4
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c sw_vers -productVersion | cut -c 1-5
/bin/sh
n/a
/usr/bin/sw_vers
sw_vers -productVersion
/bin/sh
n/a
/usr/bin/cut
cut -c 1-5
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c sw_vers -productVersion | cut -c 4-5
/bin/sh
n/a
/usr/bin/sw_vers
sw_vers -productVersion
/bin/sh
n/a
/usr/bin/cut
cut -c 4-5
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo 'Current OS: ' 10.13>> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c id -G
/usr/bin/id
id -G
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo 'Is this user an admin : ' true>> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c ps auxc
/bin/ps
ps auxc
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo 'Path Finder launched : ' false>> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c curl http://diskmakerx.com/CurrentLDMVersion
/usr/bin/curl
curl http://diskmakerx.com/CurrentLDMVersion
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo 'Selected OS: ' 10.15>> '/Users/berri'/Library/Logs/DiskMakerX.log
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c mdfind -name 'Install macOS Catalina' | grep -v Library | head -1
/bin/sh
n/a
/usr/bin/mdfind
mdfind -name Install macOS Catalina
/bin/sh
n/a
/usr/bin/grep
grep -v Library
/bin/sh
n/a
/usr/bin/head
head -1
/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
n/a
/bin/sh
sh -c echo '' | wc -l
/bin/sh
n/a
/bin/sh
n/a
/usr/bin/wc
wc -l
/usr/libexec/automountd
n/a
/usr/libexec/od_user_homes
/usr/libexec/od_user_homes .localized
There are 68 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://diskmakerx.com/CurrentLDMVersion
217.160.0.214

Domains

Name
IP
Malicious
diskmakerx.com
217.160.0.214

IPs

IP
Domain
Country
Malicious
217.160.0.214
diskmakerx.com
Germany
23.3.109.8
unknown
United States