makecab.exe
- File Path:
C:\Windows\SysWOW64\makecab.exe - Description: Microsoft Cabinet Maker
Hashes
| Type | Hash |
|---|---|
| MD5 | 00824484BE0BCE2A430D7F43CD9BABA5 |
| SHA1 | 85DFD8B30399A207B0CFDE6FCBAE03385DD98642 |
| SHA256 | F3C190724C35D35DA5213DAEB868DADE5556EAEA69A9337DEDD6402CF4C42E48 |
| SHA384 | 2564BD4955B5261267AE13B0B4071002A9DD9C97D3CCA9ACC9A1F781886D6CA65814A2A0D19E104BA6A58199AA1545E5 |
| SHA512 | 7D2522D9CB3B5E9700753B40BA5B99854CBFA2A100B065808F2C7B1C40A565C0AA849B178A544067D05BBB6176C7D7F8B7D4FADED8B2A94B0DC492E94D9F6203 |
| SSDEEP | 1536:KHETyr/UEt6k01v/wjM/bCsvmhnEAWykSxHEVcjrIcuj+cZv7gJ/V3pnQgJY+F7+:0ETyzUEt6k01v/wjM/bCsvmhnEAWdSxK |
| IMP | DB419917F8DBA7D951EB3BCBFC2572AA |
| PESHA1 | E701D0D4054AE937856F65F6811E47108AA4C2F9 |
| PE256 | 74C9BCE815AF297F5997731EA19F6D689B4803E50C4AB6CA0143680BA218BC5A |
Runtime Data
Usage (stdout):
Cabinet Maker - Lossless Data Compression Tool
MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]
MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...]
source File to compress.
destination File name to give compressed file. If omitted, the
last character of the source file name is replaced
with an underscore (_) and used as the destination.
/F directives A file with MakeCAB directives (may be repeated). Refer to
Microsoft Cabinet SDK for information on directive_file.
/D var=value Defines variable with specified value.
/L dir Location to place destination (default is current directory).
/V[n] Verbosity level (1..3).
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\makecab.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: makecab.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 5.00 (WinBuild.160101.0800)
- Product Version: 5.00
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/75
- VirusTotal Link: https://www.virustotal.com/gui/file/f3c190724c35d35da5213daeb868dade5556eaea69a9337dedd6402cf4c42e48/detection
Possible Misuse
The following table contains possible examples of makecab.exe being misused. While makecab.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\makecab.exe' |
DRL 1.0 |
| sigma | proc_creation_win_alternate_data_streams.yml | - 'makecab ' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | Image\|endswith: '\makecab.exe' |
DRL 1.0 |
| LOLBAS | Makecab.yml | Name: Makecab.exe |
|
| LOLBAS | Makecab.yml | - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\System32\makecab.exe |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\SysWOW64\makecab.exe |
|
| LOLBAS | Makecab.yml | - IOC: Makecab retrieving files from Internet |
|
| LOLBAS | Makecab.yml | - IOC: Makecab storing data into alternate data streams |
|
| atomic-red-team | T1564.004.md | makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
makecab
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Package existing files into a cabinet (.cab) file.
[!NOTE] This command is the same as the diantz command.
Syntax
makecab [/v[n]] [/d var=<value> ...] [/l <dir>] <source> [<destination>]
makecab [/v[<n>]] [/d var=<value> ...] /f <directives_file> [...]
Parameters
| Parameter | Description |
|---|---|
<source> |
File to compress. |
<destination> |
File name to give compressed file. If omitted, the last character of the source file name is replaced with an underscore (_) and used as the destination. |
/f <directives_file> |
A file with makecab directives (may be repeated). |
/d var=<value> |
Defines variable with specified value. |
/l <dir> |
Location to place destination (default is current directory). |
/v[<n>] |
Set debugging verbosity level (0=none,…,3=full). |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.