Installation
When executed, TrojanDownloader:Win32/Renos.AW creates a randomly named DLL, commonly in the <system folder> of the affected system, as in the following example:
<system folder>\qnftzl.dll
The dropped DLL is run. The registry is modified to run the DLL component at Windows logon as in the following example modifications:
Adds value: "qnftzl"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Adds value: "Asynchronous"
With data: "00, 00, 00, 00"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qnftzl
Adds value: "DllName"
With data: "qnftzl.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qnftzl
Adds value: "Impersonate"
With data: "00, 00, 00, 00"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qnftzl
Adds value: "StartShell"
With data: "WLEventStartShell"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qnftzl
TrojanDownloader:Win32/Renos.AW injects itself into SVCHOST.EXE process space to perform malicious payload.
Payload
Downloads Other Malware
TrojanDownloader:Win32/Renos.AW attempts to connect to certain remote servers to download other files. This variant has been observed downloading
Trojan:Win32/FakeXPA and other Win32/Renos components.
These Renos variants have been observed contacting or downloading from servers in the following list of locations, although this varies from minor variant to minor variant.
66.96.229.213
66.29.40.90
66.197.159.117
66.197.212.53
64.15.138.26
64.191.15.133
74.53.153.93
66.197.211.101
72.233.34.166
64.21.100.7
Analysis by Lena Lin