Edit tour

macOS Analysis Report
DiskMaker_X_9.dmg

Overview

General Information

Sample Name:	DiskMaker_X_9.dmg
Analysis ID:	756104
MD5:	d575c6a40278340f092a6fc4e26e4d11
SHA1:	87d92610155135621014afefa88d8b6c9ad5f0ed
SHA256:	96845cd375543401b822fb4e17d2ecc300fcb621f56afcdad613ae11c9afddce
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false

Signatures

Uses AppleScript framework/components containing Apple Script related functionalities

Reads the systems hostname

Reads the kernel OS version value

Executes the "grep" command used to find patterns in files or piped streams

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Executes the "ps" command used to list the status of processes

Queries OS software version with shell command 'sw_vers'

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Reads launchservices plist files

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Reads hardware related sysctl values

Executes commands using a shell command-line interpreter

Reads the systems OS release and/or type

Executes the "defaults" command used to read or modify user specific settings

Executes the "touch" command used to create files or modify time stamps

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Classification

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756104
Start date and time:	2022-11-29 16:37:54 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DiskMaker_X_9.dmg
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean8.macDMG@0/9@1/0

Warnings

Excluded domains from analysis (whitelisted): b._dns-sd._udp.0.11.168.192.in-addr.arpa, db._dns-sd._udp.0.11.168.192.in-addr.arpa, lb._dns-sd._udp.0.11.168.192.in-addr.arpa

Runtime Messages

Command:	open "/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app"
PID:	892
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 892, Parent: 812)

open (MD5: 40ed6d8f35c9f20484b97582d296398f) Arguments:

xpcproxy New Fork (PID: 893, Parent: 1)

applet (MD5: 0717bb720584b8dc860a0b9e235dd447) Arguments: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet

applet New Fork (PID: 894, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo $HOME

applet New Fork (PID: 895, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c touch '/Users/berri'/Library/Logs/DiskMakerX.log

touch (MD5: 4aacabad02929f18b00a9b6ef85e0605) Arguments: touch /Users/berri/Library/Logs/DiskMakerX.log

applet New Fork (PID: 896, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo '--------------------------------------------------------------------------------' >> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 897, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c date >> '/Users/berri'/Library/Logs/DiskMakerX.log

sh New Fork (PID: 898, Parent: 897)

date (MD5: e1d20c480fcdc1ac4646170b1d9ca7c7) Arguments: date

applet New Fork (PID: 899, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo 'Home Path: ' '/Users/berri'>> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 900, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c defaults read NSGlobalDomain AppleLanguages

defaults (MD5: 831678c94c2d9c647bf3d283b1861bda) Arguments: defaults read NSGlobalDomain AppleLanguages

applet New Fork (PID: 901, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo 'Current Language: ' en-CH>> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 902, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c sw_vers -productVersion | cut -c 1-4

sh New Fork (PID: 903, Parent: 902)

sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion

sh New Fork (PID: 904, Parent: 902)

cut (MD5: e27c92637d672468ea846d377b500eb1) Arguments: cut -c 1-4

applet New Fork (PID: 905, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c sw_vers -productVersion | cut -c 4-4

sh New Fork (PID: 906, Parent: 905)

sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion

sh New Fork (PID: 907, Parent: 905)

cut (MD5: e27c92637d672468ea846d377b500eb1) Arguments: cut -c 4-4

applet New Fork (PID: 908, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c sw_vers -productVersion | cut -c 1-5

sh New Fork (PID: 909, Parent: 908)

sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion

sh New Fork (PID: 910, Parent: 908)

cut (MD5: e27c92637d672468ea846d377b500eb1) Arguments: cut -c 1-5

applet New Fork (PID: 911, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c sw_vers -productVersion | cut -c 4-5

sh New Fork (PID: 912, Parent: 911)

sw_vers (MD5: d33f7f9efd4158694d0d58879b54f89d) Arguments: sw_vers -productVersion

sh New Fork (PID: 913, Parent: 911)

cut (MD5: e27c92637d672468ea846d377b500eb1) Arguments: cut -c 4-5

applet New Fork (PID: 914, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo 'Current OS: ' 10.13>> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 915, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c id -G

id (MD5: 24c45eb23e1aae68c572939d1a906018) Arguments: id -G

applet New Fork (PID: 916, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo 'Is this user an admin : ' true>> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 917, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c ps auxc

ps (MD5: 792e18b1417ac1f184680d2423206e4f) Arguments: ps auxc

applet New Fork (PID: 918, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo 'Path Finder launched : ' false>> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 919, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c curl http://diskmakerx.com/CurrentLDMVersion

curl (MD5: 078cd73f58d3d8f875eed22522ff73f7) Arguments: curl http://diskmakerx.com/CurrentLDMVersion

applet New Fork (PID: 920, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo 'Selected OS: ' 10.15>> '/Users/berri'/Library/Logs/DiskMakerX.log

applet New Fork (PID: 921, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c mdfind -name 'Install macOS Catalina' | grep -v Library | head -1

sh New Fork (PID: 922, Parent: 921)

mdfind (MD5: 84f3a3da590e65271df7fecb27671fac) Arguments: mdfind -name Install macOS Catalina

sh New Fork (PID: 923, Parent: 921)

grep (MD5: 2b3efb273296881708ea2914c612e0eb) Arguments: grep -v Library

sh New Fork (PID: 924, Parent: 921)

head (MD5: bb2984cc21ccc7343bed41f2b577c011) Arguments: head -1

applet New Fork (PID: 925, Parent: 893)

sh (MD5: 8aa60b22a5d30418a002b340989384dc) Arguments: sh -c echo '' | wc -l

sh New Fork (PID: 926, Parent: 925)

sh New Fork (PID: 927, Parent: 925)

wc (MD5: b89949ce6a1929257e5c0c157027cbfe) Arguments: wc -l

automountd New Fork (PID: 928, Parent: 837)

od_user_homes (MD5: 5e56553e863563a662752de9cf98be48) Arguments: /usr/libexec/od_user_homes .localized

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.3.109.8
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.3.109.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: DiskMaker_X_9.dmg	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://crl.apple.com/root.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: DiskMaker_X_9.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: DiskMaker_X_9.dmg	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: http://www.apple.com/appleca0
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: applet, 00000893.00000288.1.0000000105736000.00000001058ef000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: applet, 00000893.00000288.1.000000010e2f4000.000000010e30f000.r--.sdmp, applet, 00000893.00000288.1.000000010378f000.0000000103794000.r--.sdmp, applet, 00000893.00000288.1.0000000106bea000.0000000106bf6000.r--.sdmp, applet, 00000893.00000288.1.0000000105251000.0000000105254000.r--.sdmp, DiskMaker_X_9.dmg	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown

DNS traffic detected: queries for: diskmakerx.com

Source: global traffic

HTTP traffic detected: GET /CurrentLDMVersion HTTP/1.1Host: diskmakerx.comUser-Agent: curl/7.54.0Accept: */*

Source: classification engine

Classification label: clean8.macDMG@0/9@1/0

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist

Source: /bin/sh (PID: 923)

Grep executable: /usr/bin/grep -> grep -v Library

Source: /bin/sh (PID: 917)

Ps executable: /bin/ps -> ps auxc

Source: /bin/sh (PID: 919)

Curl executable: /usr/bin/curl -> curl http://diskmakerx.com/CurrentLDMVersion

Source: /usr/bin/open (PID: 892)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist			Jump to behavior

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 894)	Shell command executed: sh -c echo $HOME
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 895)	Shell command executed: sh -c touch '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 896)	Shell command executed: sh -c echo '--------------------------------------------------------------------------------' >> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 897)	Shell command executed: sh -c date >> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 899)	Shell command executed: sh -c echo 'Home Path: ' '/Users/berri'>> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 900)	Shell command executed: sh -c defaults read NSGlobalDomain AppleLanguages
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 901)	Shell command executed: sh -c echo 'Current Language: ' en-CH>> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 902)	Shell command executed: sh -c sw_vers -productVersion \| cut -c 1-4
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 905)	Shell command executed: sh -c sw_vers -productVersion \| cut -c 4-4
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 908)	Shell command executed: sh -c sw_vers -productVersion \| cut -c 1-5
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 911)	Shell command executed: sh -c sw_vers -productVersion \| cut -c 4-5
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 914)	Shell command executed: sh -c echo 'Current OS: ' 10.13>> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 915)	Shell command executed: sh -c id -G
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 916)	Shell command executed: sh -c echo 'Is this user an admin : ' true>> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 917)	Shell command executed: sh -c ps auxc
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 918)	Shell command executed: sh -c echo 'Path Finder launched : ' false>> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 919)	Shell command executed: sh -c curl http://diskmakerx.com/CurrentLDMVersion
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 920)	Shell command executed: sh -c echo 'Selected OS: ' 10.15>> '/Users/berri'/Library/Logs/DiskMakerX.log
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 921)	Shell command executed: sh -c mdfind -name 'Install macOS Catalina' \| grep -v Library \| head -1
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 925)	Shell command executed: sh -c echo '' \| wc -l

Source: /bin/sh (PID: 895)

Touch executable: /usr/bin/touch -> touch /Users/berri/Library/Logs/DiskMakerX.log

Source: /bin/sh (PID: 895)	Shell process: touch /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 898)	Shell process: date
Source: /bin/sh (PID: 900)	Shell process: defaults read NSGlobalDomain AppleLanguages
Source: /bin/sh (PID: 903)	Shell process: sw_vers -productVersion
Source: /bin/sh (PID: 904)	Shell process: cut -c 1-4
Source: /bin/sh (PID: 906)	Shell process: sw_vers -productVersion
Source: /bin/sh (PID: 907)	Shell process: cut -c 4-4
Source: /bin/sh (PID: 909)	Shell process: sw_vers -productVersion
Source: /bin/sh (PID: 910)	Shell process: cut -c 1-5
Source: /bin/sh (PID: 912)	Shell process: sw_vers -productVersion
Source: /bin/sh (PID: 913)	Shell process: cut -c 4-5
Source: /bin/sh (PID: 915)	Shell process: id -G
Source: /bin/sh (PID: 917)	Shell process: ps auxc
Source: /bin/sh (PID: 919)	Shell process: curl http://diskmakerx.com/CurrentLDMVersion
Source: /bin/sh (PID: 922)	Shell process: mdfind -name Install macOS Catalina
Source: /bin/sh (PID: 923)	Shell process: grep -v Library
Source: /bin/sh (PID: 924)	Shell process: head -1
Source: /bin/sh (PID: 927)	Shell process: wc -l

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

Random device file read: /dev/random

Jump to behavior

Source: /bin/sh (PID: 896)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/date (PID: 898)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 899)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 901)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 914)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 916)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 918)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log
Source: /bin/sh (PID: 920)	Log file created: /Users/berri/Library/Logs/DiskMakerX.log	Jump to dropped file

Source: submission

CodeSign Info: Executable=/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

Sysctl read request: kern.safeboot (1.66)

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 894)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 895)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 896)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 897)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 899)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 900)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 901)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 902)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 905)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 908)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 911)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 914)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 915)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 916)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 917)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 918)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 919)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 920)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 921)	Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 925)	Sysctl requested: kern.hostname (1.10)

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)

Sysctl read request: kern.osversion (1.65)

Source: /bin/sh (PID: 903)	sw_vers executed: sw_vers -productVersion
Source: /bin/sh (PID: 906)	sw_vers executed: sw_vers -productVersion
Source: /bin/sh (PID: 909)	sw_vers executed: sw_vers -productVersion
Source: /bin/sh (PID: 912)	sw_vers executed: sw_vers -productVersion

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl read request: hw.availcpu (6.25)
Source: /bin/ps (PID: 917)	Sysctl read request: hw.memsize (6.24)

Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl requested: kern.ostype (1.1)
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	Sysctl requested: kern.osrelease (1.2)

Source: /usr/bin/open (PID: 892)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet (PID: 893)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 903)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 906)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 909)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/sw_vers (PID: 912)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Source: /bin/sh (PID: 900)

Defaults executable: /usr/bin/defaults defaults read NSGlobalDomain AppleLanguages

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	Path Interception	1 Scripting	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Exfiltration Over Alternative Protocol	2 Non-Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Invalid Code Signature	LSASS Memory	71 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 AppleScript	Logon Script (Windows)	Logon Script (Windows)	1 Code Signing	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Indicator Removal on Host	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DiskMaker_X_9.dmg	0%	Virustotal		Browse
DiskMaker_X_9.dmg	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
diskmakerx.com	217.160.0.214	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://diskmakerx.com/CurrentLDMVersion	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.160.0.214	diskmakerx.com	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	false
23.3.109.8	unknown	United States		16625	AKAMAI-ASUS	false

Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6464393446710153
Encrypted:	false
SSDEEP:	3:OXzXWvn:IzXo
MD5:	5456759709FDB066DD6FC29CA0751702
SHA1:	0253BE8E7FF5EE7F6AD9F01F95F6988E6525DF38
SHA-256:	9E7B97BCE2F45EA25FE4BE592806D7EAE6C71356CD865C49974AC52A36EF7331
SHA-512:	543A19CD3CCA27E49A5D9C3A53A394A908C3ECC63E5C9C8C0FAD0E3FD86725389FEBACC7E4AE36DE0BDFE402484FE56C11EA242AE2CDC2EB6CECA4238A2927A2
Malicious:	false
Reputation:	low
Preview:	Selected OS: 10.15.

/dev/null

Download File

Process:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.699271510042169
Encrypted:	false
SSDEEP:	3:tXjtFD9VjAYeWw/3WOv:Rtt38YeIA
MD5:	902395083896E7D5B0D0C4280499D7C3
SHA1:	C8702D829D55507A55A9C7DA21BD7E76679966D3
SHA-256:	4CD214575863D93C3DFAD5376B7D1E5CD60C0FC8E6CF0C8EE06D9BB0FF3F865F
SHA-512:	8B6686383DE9497311B57D051F9CC15E39AA304AE158F8BC343D056486227A187B1488E314E2D29FAA9ACA1886B60FDD15366BD0946D3FB0D31001C0A8C07029
Malicious:	false
Reputation:	low
Preview:	2022-11-29 17:39:43.539 applet[893:7154] ApplePersistence=NO.

Static File Info

General

File type:	bzip2 compressed data, block size = 100k
Entropy (8bit):	7.999667829376183
TrID:	Disk Image (Macintosh), bzip2 (12509/2) 80.61% bzip2 compressed archive (3009/2) 19.39%
File name:	DiskMaker_X_9.dmg
File size:	6272758
MD5:	d575c6a40278340f092a6fc4e26e4d11
SHA1:	87d92610155135621014afefa88d8b6c9ad5f0ed
SHA256:	96845cd375543401b822fb4e17d2ecc300fcb621f56afcdad613ae11c9afddce
SHA512:	f18cf8eee40b9c1cfe1a2141ffd6e59e36f34fb7908ffb5383847b45bc0b5571efd4c80c2969409744274c744e6124dd3d2a62d408501d71ceb8bab7f4585d3f
SSDEEP:	98304:SqTiPyIC9pzheDyGVPAJBajoIz82jt58wb9TmzV4C1V5zw7NSmj5TGdjFOIZRZ/d:fTiaPpAVPAJwA68wb9adjwgiFG5F7PZq
TLSH:	F95633367A1CFC39EC61DA7657CB827FEF5B29C38A52534029766B81077B3A42B31460
File Content Preview:	BZh11AY&SY...[...G........@.. .1....%......H.......`BZh11AY&SY"4e........P.@....BH..... .@... .u..2....i.6..P....Tq.w.&...8...:.H.... .F#.X.Ou.......-...:..@.?...cN&..K@.I/...N.$...~@BZh91AY&SYTtL...e......................................R(+..=.......yuA.

CodeSign Information

["Executable=/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet","Identifier=net.gete.diskmakerx9","Format=app bundle with Mach-O universal (i386 x86_64)","CodeDirectory v=20200 size=276 flags=0x0(none) hashes=3+3 location=embedded","OSPlatform=36","OSSDKVersion=658944","OSVersionMin=656896","Hash type=sha256 size=32","CandidateCDHash sha1=67b9d3189b9ac47dd75aacb62b20282b9a8e9409","CandidateCDHash sha256=04a0e36d088dfe3b5b706bf0cf1f0ea0a9d4d06a","Hash choices=sha1,sha256","Page size=4096","CDHash=04a0e36d088dfe3b5b706bf0cf1f0ea0a9d4d06a","Signature size=9009","Authority=Developer ID Application: Guillaume Gete (2U4ZFMT67D)","Authority=Developer ID Certification Authority","Authority=Apple Root CA","Timestamp=23 Nov 2019 at 23:49:57","Info.plist entries=27","TeamIdentifier=2U4ZFMT67D","Sealed Resources version=2 rules=13 files=18","Internal requirements count=1 size=180"]

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:38:57.926403046 CET	49295	80	192.168.11.11	17.253.15.203
Nov 29, 2022 16:38:57.926485062 CET	49296	80	192.168.11.11	23.3.109.8
Nov 29, 2022 16:38:57.935100079 CET	80	49295	17.253.15.203	192.168.11.11
Nov 29, 2022 16:38:57.935467958 CET	49295	80	192.168.11.11	17.253.15.203
Nov 29, 2022 16:38:57.937231064 CET	80	49296	23.3.109.8	192.168.11.11
Nov 29, 2022 16:38:57.937644958 CET	49296	80	192.168.11.11	23.3.109.8
Nov 29, 2022 16:39:51.792793989 CET	49304	80	192.168.11.11	217.160.0.214
Nov 29, 2022 16:39:51.808228016 CET	80	49304	217.160.0.214	192.168.11.11
Nov 29, 2022 16:39:51.809422970 CET	49304	80	192.168.11.11	217.160.0.214
Nov 29, 2022 16:39:51.809694052 CET	49304	80	192.168.11.11	217.160.0.214
Nov 29, 2022 16:39:51.824779987 CET	80	49304	217.160.0.214	192.168.11.11
Nov 29, 2022 16:39:51.829534054 CET	80	49304	217.160.0.214	192.168.11.11
Nov 29, 2022 16:39:51.830768108 CET	49304	80	192.168.11.11	217.160.0.214
Nov 29, 2022 16:39:51.833475113 CET	49304	80	192.168.11.11	217.160.0.214
Nov 29, 2022 16:39:51.848671913 CET	80	49304	217.160.0.214	192.168.11.11
Nov 29, 2022 16:39:51.849123001 CET	49304	80	192.168.11.11	217.160.0.214

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 16:39:16.869143963 CET	137	137	192.168.11.11	192.168.11.255
Nov 29, 2022 16:39:51.757548094 CET	54754	53	192.168.11.11	1.1.1.1
Nov 29, 2022 16:39:51.778717041 CET	53	54754	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.343899965 CET	53	60749	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.344352007 CET	53	52293	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.348738909 CET	53	60772	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.349389076 CET	53	63076	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.353365898 CET	53	57453	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.356688976 CET	53	64569	1.1.1.1	192.168.11.11
Nov 29, 2022 16:40:02.358203888 CET	60014	137	192.168.11.11	192.168.11.255
Nov 29, 2022 16:40:02.862602949 CET	60014	137	192.168.11.11	192.168.11.255
Nov 29, 2022 16:40:03.481086016 CET	58377	137	192.168.11.11	192.168.11.255
Nov 29, 2022 16:40:03.986871958 CET	58377	137	192.168.11.11	192.168.11.255
Nov 29, 2022 16:41:06.059134960 CET	53	57453	1.1.1.1	192.168.11.11
Nov 29, 2022 16:41:06.059195995 CET	53	64569	1.1.1.1	192.168.11.11
Nov 29, 2022 16:41:06.061727047 CET	53	60772	1.1.1.1	192.168.11.11

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 29, 2022 16:40:02.344682932 CET	192.168.11.11	1.1.1.1	f37	(Port unreachable)	Destination Unreachable
Nov 29, 2022 16:40:02.344683886 CET	192.168.11.11	1.1.1.1	3040	(Port unreachable)	Destination Unreachable
Nov 29, 2022 16:40:02.349873066 CET	192.168.11.11	1.1.1.1	620	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 16:39:51.757548094 CET	192.168.11.11	1.1.1.1	0x6cf2	Standard query (0)	diskmakerx.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 16:39:51.778717041 CET	1.1.1.1	192.168.11.11	0x6cf2	No error (0)	diskmakerx.com		217.160.0.214	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

diskmakerx.com

System Behavior

Analysis Process: mono-sgen32 PID: 892, Parent PID: 812

General

Start time:	16:39:43
Start date:	29/11/2022
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	n/a
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Analysis Process: open PID: 892, Parent PID: 812

General

Start time:	16:39:43
Start date:	29/11/2022
Path:	/usr/bin/open
Arguments:
File size:	105952 bytes
MD5 hash:	40ed6d8f35c9f20484b97582d296398f

Analysis Process: xpcproxy PID: 893, Parent PID: 1

General

Start time:	16:39:43
Start date:	29/11/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	43488 bytes
MD5 hash:	d1bb9a4899f0af921e8188218b20d744

Analysis Process: applet PID: 893, Parent PID: 1

General

Start time:	16:39:43
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: applet PID: 894, Parent PID: 893

General

Start time:	16:39:43
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 894, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo $HOME
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 895, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 895, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c touch '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: touch PID: 895, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/usr/bin/touch
Arguments:	touch /Users/berri/Library/Logs/DiskMakerX.log
File size:	23376 bytes
MD5 hash:	4aacabad02929f18b00a9b6ef85e0605

Analysis Process: applet PID: 896, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 896, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo '--------------------------------------------------------------------------------' >> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 897, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 897, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c date >> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 898, Parent PID: 897

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: date PID: 898, Parent PID: 897

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/date
Arguments:	date
File size:	28592 bytes
MD5 hash:	e1d20c480fcdc1ac4646170b1d9ca7c7

Analysis Process: applet PID: 899, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 899, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo 'Home Path: ' '/Users/berri'>> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 900, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 900, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c defaults read NSGlobalDomain AppleLanguages
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: defaults PID: 900, Parent PID: 893

General

Start time:	16:39:44
Start date:	29/11/2022
Path:	/usr/bin/defaults
Arguments:	defaults read NSGlobalDomain AppleLanguages
File size:	39472 bytes
MD5 hash:	831678c94c2d9c647bf3d283b1861bda

Analysis Process: applet PID: 901, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 901, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo 'Current Language: ' en-CH>> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 902, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 902, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c sw_vers -productVersion \| cut -c 1-4
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 903, Parent PID: 902

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sw_vers PID: 903, Parent PID: 902

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	18848 bytes
MD5 hash:	d33f7f9efd4158694d0d58879b54f89d

Analysis Process: sh PID: 904, Parent PID: 902

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: cut PID: 904, Parent PID: 902

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/cut
Arguments:	cut -c 1-4
File size:	23712 bytes
MD5 hash:	e27c92637d672468ea846d377b500eb1

Analysis Process: applet PID: 905, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 905, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c sw_vers -productVersion \| cut -c 4-4
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 906, Parent PID: 905

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sw_vers PID: 906, Parent PID: 905

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	18848 bytes
MD5 hash:	d33f7f9efd4158694d0d58879b54f89d

Analysis Process: sh PID: 907, Parent PID: 905

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: cut PID: 907, Parent PID: 905

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/cut
Arguments:	cut -c 4-4
File size:	23712 bytes
MD5 hash:	e27c92637d672468ea846d377b500eb1

Analysis Process: applet PID: 908, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 908, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c sw_vers -productVersion \| cut -c 1-5
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 909, Parent PID: 908

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sw_vers PID: 909, Parent PID: 908

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	18848 bytes
MD5 hash:	d33f7f9efd4158694d0d58879b54f89d

Analysis Process: sh PID: 910, Parent PID: 908

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: cut PID: 910, Parent PID: 908

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/cut
Arguments:	cut -c 1-5
File size:	23712 bytes
MD5 hash:	e27c92637d672468ea846d377b500eb1

Analysis Process: applet PID: 911, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 911, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c sw_vers -productVersion \| cut -c 4-5
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 912, Parent PID: 911

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sw_vers PID: 912, Parent PID: 911

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/sw_vers
Arguments:	sw_vers -productVersion
File size:	18848 bytes
MD5 hash:	d33f7f9efd4158694d0d58879b54f89d

Analysis Process: sh PID: 913, Parent PID: 911

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: cut PID: 913, Parent PID: 911

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/cut
Arguments:	cut -c 4-5
File size:	23712 bytes
MD5 hash:	e27c92637d672468ea846d377b500eb1

Analysis Process: applet PID: 914, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 914, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo 'Current OS: ' 10.13>> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 915, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 915, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c id -G
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: id PID: 915, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/usr/bin/id
Arguments:	id -G
File size:	23248 bytes
MD5 hash:	24c45eb23e1aae68c572939d1a906018

Analysis Process: applet PID: 916, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 916, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo 'Is this user an admin : ' true>> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 917, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 917, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c ps auxc
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 917, Parent PID: 893

General

Start time:	16:39:50
Start date:	29/11/2022
Path:	/bin/ps
Arguments:	ps auxc
File size:	51280 bytes
MD5 hash:	792e18b1417ac1f184680d2423206e4f

Analysis Process: applet PID: 918, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 918, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo 'Path Finder launched : ' false>> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 919, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 919, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c curl http://diskmakerx.com/CurrentLDMVersion
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: curl PID: 919, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/usr/bin/curl
Arguments:	curl http://diskmakerx.com/CurrentLDMVersion
File size:	185104 bytes
MD5 hash:	078cd73f58d3d8f875eed22522ff73f7

Analysis Process: applet PID: 920, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 920, Parent PID: 893

General

Start time:	16:39:51
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo 'Selected OS: ' 10.15>> '/Users/berri'/Library/Logs/DiskMakerX.log
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: applet PID: 921, Parent PID: 893

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 921, Parent PID: 893

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c mdfind -name 'Install macOS Catalina' \| grep -v Library \| head -1
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 922, Parent PID: 921

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: mdfind PID: 922, Parent PID: 921

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/usr/bin/mdfind
Arguments:	mdfind -name Install macOS Catalina
File size:	29280 bytes
MD5 hash:	84f3a3da590e65271df7fecb27671fac

Analysis Process: sh PID: 923, Parent PID: 921

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 923, Parent PID: 921

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/usr/bin/grep
Arguments:	grep -v Library
File size:	33936 bytes
MD5 hash:	2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 924, Parent PID: 921

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: head PID: 924, Parent PID: 921

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/usr/bin/head
Arguments:	head -1
File size:	18912 bytes
MD5 hash:	bb2984cc21ccc7343bed41f2b577c011

Analysis Process: applet PID: 925, Parent PID: 893

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/Volumes/DiskMaker X 9/DiskMaker X 9 for macOS Catalina.app/Contents/MacOS/applet
Arguments:	n/a
File size:	60192 bytes
MD5 hash:	0717bb720584b8dc860a0b9e235dd447

Analysis Process: sh PID: 925, Parent PID: 893

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	sh -c echo '' \| wc -l
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 926, Parent PID: 925

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 927, Parent PID: 925

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/bin/sh
Arguments:	n/a
File size:	618512 bytes
MD5 hash:	8aa60b22a5d30418a002b340989384dc

Analysis Process: wc PID: 927, Parent PID: 925

General

Start time:	16:39:57
Start date:	29/11/2022
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	23072 bytes
MD5 hash:	b89949ce6a1929257e5c0c157027cbfe

Analysis Process: automountd PID: 928, Parent PID: 837

General

Start time:	16:40:01
Start date:	29/11/2022
Path:	/usr/libexec/automountd
Arguments:	n/a
File size:	129632 bytes
MD5 hash:	a02648ba58feca82fec051bdd78be4b6

Analysis Process: od_user_homes PID: 928, Parent PID: 837

General

Start time:	16:40:01
Start date:	29/11/2022
Path:	/usr/libexec/od_user_homes
Arguments:	/usr/libexec/od_user_homes .localized
File size:	24656 bytes
MD5 hash:	5e56553e863563a662752de9cf98be48

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report DiskMaker_X_9.dmg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/berri/Library/Logs/DiskMakerX.log

/dev/null

Static File Info

General

CodeSign Information

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

System Behavior

Analysis Process: mono-sgen32 PID: 892, Parent PID: 812

General

Analysis Process: open PID: 892, Parent PID: 812

General

Analysis Process: xpcproxy PID: 893, Parent PID: 1

General

Analysis Process: applet PID: 893, Parent PID: 1

General

Analysis Process: applet PID: 894, Parent PID: 893

General

Analysis Process: sh PID: 894, Parent PID: 893

General

Analysis Process: applet PID: 895, Parent PID: 893

General

Analysis Process: sh PID: 895, Parent PID: 893

General

Analysis Process: touch PID: 895, Parent PID: 893

General

Analysis Process: applet PID: 896, Parent PID: 893

macOS Analysis Report
DiskMaker_X_9.dmg