How to extract a Win32 Cabinet Self-Extractor without executing the extracted file then

17.1k views Asked by At

For a coursework, I have to analyse a malware.

It is a .EXE Win32 Cabinet Self-extractor file. (that's how windows see it, it actually start with 4D 5A 00 03 Hex). When run, it extract all the files in a folder created, run the malware (batch/VBS files) which at the end delete the folder with the malware files.

I was wondering how is it possible to extract witout executing the malware? I used ProcDump32 but it gives me: "Process is not 32bits or can't be loaded or is already finished !".

Somehow, I succeed to stucked ProcDump32 and get the folder for few second and copied it before it "disapear" so I got the files, but I'm not sure I gathered all of them and I would like to do it in a proper way.

So I'm looking for an application which can extract the content of a Win32 Cab Self-Extractor file without executing the output files and, if possible, giving the list of extracted files.

2

There are 2 answers

1
sebbu On

You can also use /? on the Self-extractor file, it should show /X:path or /T:path /C to extract the content (according to microsoft kb 262841 and 197147)

0
LZh On

Use /T:full path of folder /C. Without /C the exe file will be executed.

MySelfExtractingFile.exe /T:C:¥MySelfExtractingFile /C