From 24f05ed60091ccfed35bcd0f4e4d10806a65de53 Mon Sep 17 00:00:00 2001
From: cccs-kevin <kevin.hardy-cooper@cyber.gc.ca>
Date: Fri, 8 Sep 2023 16:13:02 +0000
Subject: [PATCH] Updating script_network_activity to match
 malicious_document_urls more or less

---
 modules/signatures/script_downloader.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/signatures/script_downloader.py b/modules/signatures/script_downloader.py
index cec1e71a..2934bb96 100644
--- a/modules/signatures/script_downloader.py
+++ b/modules/signatures/script_downloader.py
@@ -67,6 +67,10 @@ def on_call(self, call, process):
             if call["api"] == "InternetCrackUrlW":
                 self.mbcs += ["C0005"]  # micro-behaviour
                 buff = self.get_argument(call, "Url").lower()
+                # InternetCrackUrlW calls made by scripts that start with https? are quite interesting
+                if buff.startswith("http://") or buff.startswith("https://"):
+                    # Increasing the score to be on par with the Cuckoo signature "malicious_document_urls"
+                    self.severity = 4
                 self.ret = True
                 self.data.append({"request": buff})
                 if self.pid: