Buy website traffic cheap
Adversaries leverage various Windows features to distribute malware. In this context, a Windows tool facilitates attackers in delivering compressed files to targets, extracting malicious content, and executing it through inherent Windows functionalities. It involves a fixed file format that might raise suspicions based on its name. Before harboring doubts, examine the files' behavior in a sandbox environment to ascertain whether the activity is legitimate or potentially malicious.

What is Cab File?

.Cab represents an archive format developed by Microsoft. Files bearing the .cab extension signal compression in Microsoft's archived format. The archive's contents may include authorized software crucial for operating system functionality, or alternatively, it could harbor segments of malicious code.
 
How Threat Actors build .cab files?

From the viewpoint of an attacker, numerous methods can achieve this goal, with one of the simplest involving leveraging built-in programs within the Windows operating system to generate .cab files. Specifically, we utilize accessible internal tools, such as the Iexpress Wizard, found in any Windows operating system. This tool facilitates both the compression and decompression of files, resembling .cab files, into executables. An alternative method involves searching Google for keywords like "exe to .cab converter," providing attackers with additional options.
What is Extrac32.exe? 

 Extrac32.exe is the windows legitimate Process used to uncompress one or more compressed data ( .cab files )
The Extrac32 tool facilitates the copying, loading, and extraction of specified files within the Windows file system. Adversaries exploit these functionalities to extract malevolent executables and introduce malicious data into the NTFS Alternate Data Stream (ADS). The concealed malicious information within the NTFS ADS file system can be leveraged for subsequent execution. Concealing data is not exclusive to Extrac32; numerous methods exist for concealing malicious data within the file system, with Extrac32 being one of them. To Detect these malicious activities? Gather evidence pertaining to suspicious artifacts, scrutinize the actor's timeline, and explore potential additional clues emanating from both endpoints and the network. Exercise caution before swiftly labeling an incident as a false positive, particularly when a Windows tool operates on the endpoint. Despite the inherent legitimacy of Windows operating system utilities, compile a list of hashes and Windows command line arguments identified by said legitimate utility and incorporate them into your analysis. In the example below, we utilized a free open-source tool to extract malicious NTFS Alternate Data Stream (ADS) files.
The alternate stream viewer is a tool utilized for discovering concealed data within NTFS Alternate Data Streams (ADS). The image above illustrates the presence of hidden .exe data within the file named "Im_Not_A_Hacker.txt". Let's initiate the investigation!
Let’s extract the data from the stream and save it on my Desktop folder.