makecab.exe
- File Path:
C:\Windows\system32\makecab.exe - Description: Microsoft Cabinet Maker
Hashes
| Type | Hash |
|---|---|
| MD5 | FF47E32B1B45D1DE2ECC39107B365563 |
| SHA1 | A8B93562ABC7F0D7252EE9A01E335A3FCECDD30B |
| SHA256 | BA31AD8ECA19C5FE03F6A5C64C8E0ADFC7BD8D04B1F4E1C11D167467FD5261E9 |
| SHA384 | 4B0CAD899127F7B28E81B4B0A45A0361A67E4DE60FD1B6DD493ABDC893C69F5CF0218A6832F879DEAF11609583D74C09 |
| SHA512 | 0E0778306A37B4178B570DFFCEB00C5AC7C0110FC35FD81DBE105D759AADEDDD9006DC8CFD654F948FD42A2D5BF12453AA629F637C3FCD94718122580AE12DE8 |
| SSDEEP | 1536:E1O9GAeEoohuq5r20STMoXQVhuKGlMykUR021AmN3EDKtx0vRu:v9GAmqx52TTMoXQLFGlMykl21vEDKtxl |
| IMP | A9326A6F3C34256D97D8CD7972ACC242 |
| PESHA1 | B742443BCD0F291D7BB2BD953BE5906C30AFF317 |
| PE256 | 2D8A7CC311E52167DA99BB22B2819E82FBEDCC670ABE1B3DF85BF80E393F0F03 |
Runtime Data
Usage (stdout):
Cabinet Maker - Lossless Data Compression Tool
MAKECAB [/V[n]] [/D var=value ...] [/L dir] source [destination]
MAKECAB [/V[n]] [/D var=value ...] /F directive_file [...]
source File to compress.
destination File name to give compressed file. If omitted, the
last character of the source file name is replaced
with an underscore (_) and used as the destination.
/F directives A file with MakeCAB directives (may be repeated). Refer to
Microsoft Cabinet SDK for information on directive_file.
/D var=value Defines variable with specified value.
/L dir Location to place destination (default is current directory).
/V[n] Verbosity level (1..3).
Child Processes:
csrss.exe winlogon.exe
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\system32\makecab.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: makecab.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 5.00 (WinBuild.160101.0800)
- Product Version: 5.00
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/ba31ad8eca19c5fe03f6a5c64c8e0adfc7bd8d04b1f4e1c11d167467fd5261e9/detection
Possible Misuse
The following table contains possible examples of makecab.exe being misused. While makecab.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\makecab.exe' |
DRL 1.0 |
| sigma | proc_creation_win_alternate_data_streams.yml | - 'makecab ' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | Image\|endswith: '\makecab.exe' |
DRL 1.0 |
| LOLBAS | Makecab.yml | Name: Makecab.exe |
|
| LOLBAS | Makecab.yml | - Command: makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.txt:file.cab |
|
| LOLBAS | Makecab.yml | - Command: makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\System32\makecab.exe |
|
| LOLBAS | Makecab.yml | - Path: C:\Windows\SysWOW64\makecab.exe |
|
| LOLBAS | Makecab.yml | - IOC: Makecab retrieving files from Internet |
|
| LOLBAS | Makecab.yml | - IOC: Makecab storing data into alternate data streams |
|
| atomic-red-team | T1564.004.md | makecab #{path}\autoruns.exe #{path}\cabtest.txt:autoruns.cab | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
makecab
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Package existing files into a cabinet (.cab) file.
[!NOTE] This command is the same as the diantz command.
Syntax
makecab [/v[n]] [/d var=<value> ...] [/l <dir>] <source> [<destination>]
makecab [/v[<n>]] [/d var=<value> ...] /f <directives_file> [...]
Parameters
| Parameter | Description |
|---|---|
<source> |
File to compress. |
<destination> |
File name to give compressed file. If omitted, the last character of the source file name is replaced with an underscore (_) and used as the destination. |
/f <directives_file> |
A file with makecab directives (may be repeated). |
/d var=<value> |
Defines variable with specified value. |
/l <dir> |
Location to place destination (default is current directory). |
/v[<n>] |
Set debugging verbosity level (0=none,…,3=full). |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.