home

WFini.exe

WFini

Junyan Li

The application WFini.exe by Junyan Li has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “WFini WdMan Service”. While running, it connects to the Internet address server-52-85-173-188.fra6.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
WFini LIMITED  (signed by Junyan Li)

Product:
WFini

Version:
22.0.0.2535

MD5:
c28b33cba52c7fae524c75f217b43f0b

SHA-1:
439b68ea420c96441c9d5942d656e7160f97db8d

SHA-256:
f459735339ee4f14fa9febcbb79b8482ed85f37b990ed2523a327cbfdecdf2eb

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 8:52:49 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Elex (M)
16.6.23.7

File size:
205.2 KB (210,152 bytes)

Product version:
22.0.0.2535

Copyright:
Copyright (C) WFini.com From 2012

Original file name:
WFini.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\0winp0\wfini.exe

Digital Signature
Signed by:
Junyan Li

Authority:
thawte, Inc.

Valid from:
6/22/2016 9:00:00 AM

Valid to:
6/3/2017 8:59:59 AM

Subject:
CN=Junyan Li, OU=Individual Developer, O=No Organization Affiliation, L=Baishan, S=Jilin, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2DD7F1EEA3C122F2B80F09115F68FEE6

File PE Metadata
Compilation timestamp:
6/16/2016 10:49:20 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
3072:zhg2KeDnH+BEZi/XWLQ3syIeOyy3jYPqKq+1JuqtDjydY:zWIH+BEgVuyjqST

Entry address:
0xFA54

Entry point:
E8, 1B, 95, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 45, 08, 56, 8B, F1, 83, 66, 04, 00, C7, 06, 24, 52, 42, 00, C6, 46, 08, 00, FF, 30, E8, A8, 00, 00, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 8B, 45, 08, C7, 01, 24, 52, 42, 00, 8B, 00, 89, 41, 04, 8B, C1, C6, 41, 08, 00, 5D, C2, 08, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, 83, 66, 04, 00, C7, 06, 24, 52, 42, 00, C6, 46, 08, 00, E8, 12, 00, 00, 00, 8B, C6, 5E, 5D, C2, 04, 00, C7, 01, 24, 52, 42, 00, E9, 96, 00, 00, 00, 55, 8B, EC, 56, 57, 8B, 7D, 08...
 
[+]

Entropy:
6.3880

Code size:
138.5 KB (141,824 bytes)

Service
Display name:
WFini WdMan Service

Service name:
WdMan

Type:
Win32OwnProcess

Group:
SVC_Group


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-52-85-83-86.lax1.r.cloudfront.net  (52.85.83.86:80)

TCP (HTTP):
Connects to server-52-85-173-82.fra6.r.cloudfront.net  (52.85.173.82:80)

TCP (HTTP):
Connects to server-52-85-173-79.fra6.r.cloudfront.net  (52.85.173.79:80)

TCP (HTTP):
Connects to server-52-85-173-6.fra6.r.cloudfront.net  (52.85.173.6:80)

TCP (HTTP):
Connects to server-52-85-173-59.fra6.r.cloudfront.net  (52.85.173.59:80)

TCP (HTTP):
Connects to server-52-85-173-188.fra6.r.cloudfront.net  (52.85.173.188:80)

TCP (HTTP):
Connects to server-52-85-173-178.fra6.r.cloudfront.net  (52.85.173.178:80)

Remove WFini.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.