rule metamorfo_msi {
	meta:
		author = "jeFF0Falltrades"
		ref = "https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/"
		description = "This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads"
	strings:
		$str_1 = "replace( \" pussy \" , idpp)" ascii wide nocase
		$str_2 = "GAIPV+idpp+ \"\\\\\" +idpp" ascii wide nocase
		$str_3 = "StrReverse( \" TEG \" )" ascii wide nocase
		$str_4 = "taller 12.2.1" ascii wide nocase
		$str_5 = "$bExisteArquivoLog" ascii wide nocase
		$str_6 = "function unzip(zipfile, unzipdir)" ascii wide nocase
		$str_7 = "DonaLoad(ArquivoDown" ascii wide nocase
		$str_8 = "putt_start" ascii wide nocase
		$str_9 = "FilesInZip= zipzipp" ascii wide nocase
		$str_10 = "@ u s e r p r o f i l e @ \" +ppasta" ascii wide nocase
		$str_11 = "getFolder(unzipdir).Path" ascii wide nocase
	condition:
		2 of them
}