Let's load the PCAP in Wireshark as follows:
We can see that there is a lot of HTTP data present in the PCAP file. Let's add columns to display the full URI and User-Agent entries, and also filter the requests using the http.request.uri filter as follows:
The user-agent is quite important in malware communications, since they might not be the standard user-agents used by popular browsers. We can see we have Mozilla/4.08 (Charon; Inferno) as the user-agent, and URI contains a single user, as shown in the previous screenshot. Let's investigate this user-agent on Google as shown in the following screenshot:
It seems that the HTTP requests are generated by the nefarious LokiBot, a popular malware that infiltrates data on the infected systems. Open the third link from the preceding results which is from https:...