» WFini.exe
Overview
Analysis
File Details
Behaviors (1)
Network (11)

WFini.exe

WFini

Junyan Li

The application WFini.exe by Junyan Li has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “WFini WdMan Service”. While running, it connects to the Internet address server-52-85-221-19.cdg50.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

WFini.exe

Publisher:

WFini LIMITED (signed by Junyan Li)

Product:

WFini

Version:

22.0.0.2536

MD5:

616dd167b5da71c1aaa187fa9e0a187d

SHA-1:

d27033609a84ff9913981bd3315ad10cb3d17374

SHA-256:

6a3f60ac170888b3cc6bcf15469c6c9f071d67386f5cfb7993a1ebb6cd9e3bf7

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

11/24/2024 9:50:52 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

Adware.Downloader.JunyanLi.Meta (M)

16.7.4.8

File size:

549.2 KB (562,408 bytes)

Product version:

22.0.0.2536

Original file name:

WFini.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\ProgramData\dwinpd\wfini.exe

Digital Signature

Signed by:

Junyan Li

Authority:

thawte, Inc.

Valid from:

6/28/2016 7:00:00 AM

Valid to:

6/3/2017 6:59:59 AM

Subject:

CN=Junyan Li, OU=Individual Developer, O=No Organization Affiliation, L=Baishan, S=Jilin, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

71D68F083EDE156D287A502061A55A31

File PE Metadata

Compilation timestamp:

7/4/2016 10:13:17 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

12288:CFDwR/80p9CBpf+WMJkA5Jh50wWcvzzjuq:C4/xKBnMJkA5jmwZnjB

Entry address:

0x352C0

Entry point:

E8, 40, 42, 01, 00, E9, 39, FE, FF, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 5F, 00, 00, 00, C7, 06, D0, C9, 46, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 5F, 00, 00, 00, C7, 06, D0, C9, 46, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, A0, 00, 00, 00, C7, 06, B8, C9, 46, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, 8D, 45, 08, 8B, F1, 50, E8, 44, 00, 00, 00, C7, 06, B8, C9, 46, 00, 8B, C6, 5E, 5D, C2, 04, 00, 55, 8B, EC, 56, FF, 75, 08, 8B, F1... 
[+]

Code size:

419 KB (429,056 bytes)

Service

Display name:

WFini WdMan Service

Service name:

WdMan

Type:

Win32OwnProcess

Group:

SVC_Group

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-95-84.fra2.r.cloudfront.net (54.230.95.84:80)

TCP (HTTP):

Connects to server-54-230-95-147.fra2.r.cloudfront.net (54.230.95.147:80)

TCP (HTTP):

Connects to server-54-230-216-83.mrs50.r.cloudfront.net (54.230.216.83:80)

TCP (HTTP):

Connects to server-54-230-216-20.mrs50.r.cloudfront.net (54.230.216.20:80)

TCP (HTTP):

Connects to server-54-192-36-248.jfk1.r.cloudfront.net (54.192.36.248:80)

TCP (HTTP):

Connects to server-52-85-83-240.lax1.r.cloudfront.net (52.85.83.240:80)

TCP (HTTP):

Connects to server-52-85-83-239.lax1.r.cloudfront.net (52.85.83.239:80)

TCP (HTTP):

Connects to server-52-85-221-9.cdg50.r.cloudfront.net (52.85.221.9:80)

TCP (HTTP):

Connects to server-52-85-221-19.cdg50.r.cloudfront.net (52.85.221.19:80)

TCP (HTTP):

Connects to server-52-84-246-249.sfo20.r.cloudfront.net (52.84.246.249:80)

TCP (HTTP):

Connects to server-52-84-246-245.sfo20.r.cloudfront.net (52.84.246.245:80)

Remove WFini.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.