When I remotely controlled the computer the dmg was still mounted on the desktop with the generic dmg icon.
Heading to the terminal I executed the command hdiutil info. This command will tell you path to the dmg file that is attached. This is shown below as image-path.
Once we know the location of the source dmg file we can list the metadata for the file. We do this by executing mdls /path/to/file.dmg. OS X will tag downloads with a kMDItemWhereFroms attribute this will show us where the malware came from. If needed further analysis can be performed using osxcollector or similar to see which browser was used etc.
This info can also be used to block bad domains… set2updatenow.preparedupdate.xyz in this case.
