137daca4-0d7b-48aa-8574-f7eb6ad02526

speedfan.sys

Description

speedfan.sys is a vulnerable driver. CVE-2007-5633.

UUID: 137daca4-0d7b-48aa-8574-f7eb6ad02526
Created: 2023-01-09
Author: Michael Haag
Acknowledgement: |

This download link contains the vulnerable driver!

Commands

sc.exe create speedfan.sys binPath=C:\windows\temp\speedfan.sys type=kernel &amp;&amp; sc.exe start speedfan.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://github.com/jbaines-r7/dellicious

https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/

https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/

CVE

CVE-2007-5633

Known Vulnerable Samples

Property	Value
Filename	speedfan.sys
Creation Timestamp	2006-09-24 07:26:48
MD5	5f9785e7535f8f602cb294a54962c9e7
SHA1	bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b
SHA256	22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c
Authentihash MD5	af368f76c059d1e07aa884e86d29bbab
Authentihash SHA1	9c08d169b0f59a411c5b51f481622bc78bdf9c84
Authentihash SHA256	641490e28b2a1ee223238f5d969b5abf60a1089afe597c4251b285449e6b3b04
RichPEHeaderHash MD5	edbbdf5bb0479e4f4a4827203aebb406
RichPEHeaderHash SHA1	691e232c9f6d9c5b1241ef5f0f48f67f7b9eb501
RichPEHeaderHash SHA256	f6121f3ea39a6896af3b0824a60eed616d52548fad83ded59b90a688dc219dd6
Company	Windows (R) Server 2003 DDK provider
Description	SpeedFan Device Driver
Product	Windows (R) Server 2003 DDK driver
OriginalFilename	speedfan.sys

Download

Certificates

Expand

Certificate 47bf1995df8d524643f7db6d480d31a4

Field	Value
ToBeSigned (TBS) MD5	518d2ea8a21e879c942d504824ac211c
ToBeSigned (TBS) SHA1	21ce87d827077e61abddf2beba69fde5432ea031
ToBeSigned (TBS) SHA256	1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7
Subject	C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA
ValidFrom	2003-12-04 00:00:00
ValidTo	2013-12-03 23:59:59
Signature	4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a
SignatureAlgorithmOID	1.2.840.113549.1.1.5
IsCertificateAuthority	True
SerialNumber	47bf1995df8d524643f7db6d480d31a4
Version	3

Certificate 0de92bf0d4d82988183205095e9a7688

Field	Value
ToBeSigned (TBS) MD5	45c204b8a20f6abb0188d2d38a3fb0c9
ToBeSigned (TBS) SHA1	cdf3a3c5c2eda4c29621f30fd3154f9f8c765739
ToBeSigned (TBS) SHA256	e32839dddc0f4ed2474efaf37f59d46db400c700fd19533cb0895a111124bc77
Subject	C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer
ValidFrom	2003-12-04 00:00:00
ValidTo	2008-12-03 23:59:59
Signature	877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad
SignatureAlgorithmOID	1.2.840.113549.1.1.5
IsCertificateAuthority	False
SerialNumber	0de92bf0d4d82988183205095e9a7688
Version	3

Certificate 4191a15a3978dfcf496566381d4c75c2

Field	Value
ToBeSigned (TBS) MD5	41011f8d0e7c7a6408334ca387914c61
ToBeSigned (TBS) SHA1	c7fc1727f5b75a6421a1f95c73bbdb23580c48e5
ToBeSigned (TBS) SHA256	88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0
Subject	C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA
ValidFrom	2004-07-16 00:00:00
ValidTo	2014-07-15 23:59:59
Signature	ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5
SignatureAlgorithmOID	1.2.840.113549.1.1.5
IsCertificateAuthority	True
SerialNumber	4191a15a3978dfcf496566381d4c75c2
Version	3

Certificate 7b12cd12b82d7758c4d7c3e398845b3c

Field	Value
ToBeSigned (TBS) MD5	9c6803e909424a7709e1eec71bb56fee
ToBeSigned (TBS) SHA1	29237efa67b52838056a16648f18d5b31920f4ce
ToBeSigned (TBS) SHA256	17739d270191b317ef237c9b8e6c965704eca4733a5129ac44775a18d51637d3
Subject	C=IT, ST=Marche, L=Ancona, O=Sokno S.R.L., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software Development, CN=Sokno S.R.L.
ValidFrom	2007-02-07 00:00:00
ValidTo	2008-02-07 23:59:59
Signature	b572f3fe7b0c6aa1ee05ba9510b50345f5ccb72b55b1354fa3e0a5aaf8006302089153d52ebf69112781c7674e84d1646d4d08a04d554aa4428f801f4b4e6f467a35e2b464bb0878e7ca33d346f252d3f77a412ccb6d36fbd0c4d53cb14830362f8646cca976eb8ee66e6659d833a49643b947fe797d205ab717517d6af336669f6c1af45198d7ca0d621f0909098543353bcc39c256131db08f9abfe37f840636f8385e5ece017eff20e74d6363223dfc9948b66959ab5604a9d04ef2a459c03dd2cc4ac19bb1bf7b44b8bf1af9b5c996fd26e0e1b017a224c727a5986557397ceb4684353c85dabeaf102a15c45133baacff9eaa967342dda58442c0fe7a52
SignatureAlgorithmOID	1.2.840.113549.1.1.5
IsCertificateAuthority	False
SerialNumber	7b12cd12b82d7758c4d7c3e398845b3c
Version	3

Certificate 610c120600000000001b

Field	Value
ToBeSigned (TBS) MD5	53c41bc1164e09e0cd1617a5bf913efd
ToBeSigned (TBS) SHA1	93c03aac8951d494ecd5696b1c08658541b18727
ToBeSigned (TBS) SHA256	40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b
Subject	C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
ValidFrom	2006-05-23 17:01:29
ValidTo	2016-05-23 17:11:29
Signature	01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665
SignatureAlgorithmOID	1.2.840.113549.1.1.5
IsCertificateAuthority	True
SerialNumber	610c120600000000001b
Version	3

Imports

Expand

ntoskrnl.exe

Imported Functions

Expand

MmUnmapIoSpace
MmMapIoSpace
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
RtlInitUnicodeString
IoCreateSymbolicLink
PsGetVersion
IoCreateDevice
RtlUnwindEx
KeBugCheckEx

Exported Functions

Expand

Sections

Expand

.text
.rdata
.data
.pdata
INIT
.rsrc

Signature

Expand

{
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "47bf1995df8d524643f7db6d480d31a4",
      "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA",
      "TBS": {
        "MD5": "518d2ea8a21e879c942d504824ac211c",
        "SHA1": "21ce87d827077e61abddf2beba69fde5432ea031",
        "SHA256": "1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7",
        "SHA384": "53e346bbde23779a5d116cc9d86fdd71c97b1f1b343439f8a11aa1d3c87af63864bb8488a5aeb2d0c26a6a1e0b15f03f"
      },
      "ValidFrom": "2003-12-04 00:00:00",
      "ValidTo": "2013-12-03 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0de92bf0d4d82988183205095e9a7688",
      "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer",
      "TBS": {
        "MD5": "45c204b8a20f6abb0188d2d38a3fb0c9",
        "SHA1": "cdf3a3c5c2eda4c29621f30fd3154f9f8c765739",
        "SHA256": "e32839dddc0f4ed2474efaf37f59d46db400c700fd19533cb0895a111124bc77",
        "SHA384": "ee9c75832cb252218b3201619852209df490d2ef7a5f7a28afdb37f1c1dd56f4604898838e558f615b1c798d4a488223"
      },
      "ValidFrom": "2003-12-04 00:00:00",
      "ValidTo": "2008-12-03 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "4191a15a3978dfcf496566381d4c75c2",
      "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA",
      "TBS": {
        "MD5": "41011f8d0e7c7a6408334ca387914c61",
        "SHA1": "c7fc1727f5b75a6421a1f95c73bbdb23580c48e5",
        "SHA256": "88dd3952638ee82738c03168e6fd863fe4eab1059ee5e2926ad8cb587c255dc0",
        "SHA384": "a00aa5ed457c41e37967882644d63366bae014f03a986576d8514164d7027acf7d0b5e03d764db2558f60db148954459"
      },
      "ValidFrom": "2004-07-16 00:00:00",
      "ValidTo": "2014-07-15 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "7b12cd12b82d7758c4d7c3e398845b3c",
      "Signature": "b572f3fe7b0c6aa1ee05ba9510b50345f5ccb72b55b1354fa3e0a5aaf8006302089153d52ebf69112781c7674e84d1646d4d08a04d554aa4428f801f4b4e6f467a35e2b464bb0878e7ca33d346f252d3f77a412ccb6d36fbd0c4d53cb14830362f8646cca976eb8ee66e6659d833a49643b947fe797d205ab717517d6af336669f6c1af45198d7ca0d621f0909098543353bcc39c256131db08f9abfe37f840636f8385e5ece017eff20e74d6363223dfc9948b66959ab5604a9d04ef2a459c03dd2cc4ac19bb1bf7b44b8bf1af9b5c996fd26e0e1b017a224c727a5986557397ceb4684353c85dabeaf102a15c45133baacff9eaa967342dda58442c0fe7a52",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=IT, ST=Marche, L=Ancona, O=Sokno S.R.L., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software Development, CN=Sokno S.R.L.",
      "TBS": {
        "MD5": "9c6803e909424a7709e1eec71bb56fee",
        "SHA1": "29237efa67b52838056a16648f18d5b31920f4ce",
        "SHA256": "17739d270191b317ef237c9b8e6c965704eca4733a5129ac44775a18d51637d3",
        "SHA384": "72160f00ca6f6c1f9370279b17c8ae319e44822c942e3e0caa1948a53f9db1b4b9113fed394692801c1caf0c2f9437c4"
      },
      "ValidFrom": "2007-02-07 00:00:00",
      "ValidTo": "2008-02-07 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "610c120600000000001b",
      "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority",
      "TBS": {
        "MD5": "53c41bc1164e09e0cd1617a5bf913efd",
        "SHA1": "93c03aac8951d494ecd5696b1c08658541b18727",
        "SHA256": "40bddadac24dc61ca4fb5cab2a2bc5d876bc36808311039a7a3e1a4066f7489b",
        "SHA384": "f51d4e75ba638f7314cd59b8d6d45f3b34d35ce6986e9d205cd6f333e8e8d8e9c91f636e6bc84731b6661673f40963d8"
      },
      "ValidFrom": "2006-05-23 17:01:29",
      "ValidTo": "2016-05-23 17:11:29",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA",
      "SerialNumber": "7b12cd12b82d7758c4d7c3e398845b3c",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

source

last_updated: 2024-04-09