2026-02-28 - EASY AS 123

Exercise URL: https://malware-traffic-analysis.net/2026/02/28/index.html PCAP / files provided:

• 2026-02-28-traffic-analysis-exercise.pcap.zip — full network capture

Questions:

1. What is the IP address of the infected Windows client?
2. What is the MAC address of the infected Windows client?
3. What is the host name of the infected Windows client?
4. What is the user account name from the infected Windows client?
5. What is the full name of the user from the user account?

TL;DR

A Windows host (10.2.28.88 / DESKTOP-TEYQ2NR) on the EASYAS123 domain was infected with NetSupport Manager RAT. The infected machine made repeated HTTP POST requests to http://45.131.214.85/fakeurl.htm (vadusa[.]xyz) starting at 19:55 UTC, carrying form-URL-encoded C2 data. Filtering on the C2 IP immediately identified the infected host’s IP and MAC. Pivoting to traffic between the host and domain controller (10.2.28.2) and drilling into Kerberos packets revealed the username brolf, and a SAMR (DCE/RPC) request confirmed the full display name as Becka Rolf.

Network Environment

Infected host(s)

Timeline

IOCs

Network

Files / Hashes

None identified in this exercise.

Analysis

Wireshark filters

ip.addr == 45.131.214.85
ip.addr == 45.131.214.85 && http
ip.addr == 10.2.28.88
ip.addr == 10.2.28.88 && ip.addr == 10.2.28.2
ip.addr == 10.2.28.88 && ip.addr == 10.2.28.2 && kerberos

Step 1 — Identify the infected host from C2 traffic

Filtered on the known C2 IP (ip.addr == 45.131.214.85). The infected machine stood out immediately: 10.2.28.88 was making repeated POST requests to /fakeurl.htm. The MAC address (00:19:d1:b2:4d:ad) came from the Ethernet frame. Narrowing to ip.addr == 45.131.214.85 && http confirmed the C2 session ran from 19:55 UTC (Feb 28) to 00:16 UTC (Mar 1). Notably, the traffic appeared as HTTP in Wireshark despite the SIEM alerting on port 443 — NetSupport Manager RAT is known to use cleartext HTTP on the HTTPS port as a detection-evasion technique. Enabling name resolution confirmed the C2 IP resolves to vadusa[.]xyz.

Step 2 — Pivot to host–DC communication

Switched focus to the infected host (ip.addr == 10.2.28.88) and filtered out background noise (Microsoft telemetry, NTP, etc.). The bulk of non-C2 traffic was with 10.2.28.2, the domain controller. Protocol hierarchy (Statistics → Protocol Hierarchy) showed: UDP (NTP, NetBIOS Name Service, Connectionless LDAP) and TCP (NetBIOS Session Service, LDAP, Kerberos, DCE/RPC).

Step 3 — Extract identity from Kerberos and SAMR

Filtered on host ↔ DC Kerberos traffic (ip.addr == 10.2.28.88 && ip.addr == 10.2.28.2 && kerberos). The cname field in the AS-REQ packets identified the domain username as brolf. Pivoting to DCE/RPC packets in the same host–DC stream, a SAMR (Security Account Manager Remote) request revealed the full display name: Becka Rolf.

Answers

1. Q: What is the IP address of the infected Windows client? A: 10.2.28.88
2. Q: What is the MAC address of the infected Windows client? A: 00:19:d1:b2:4d:ad
3. Q: What is the host name of the infected Windows client? A: DESKTOP-TEYQ2NR
4. Q: What is the user account name from the infected Windows client? A: brolf
5. Q: What is the full name of the user from the user account? A: Becka Rolf

What I Learned

• NetSupport Manager RAT C2 uses HTTP POST to /fakeurl.htm with form-URL-encoded payloads — a reliable Wireshark signature for this family.
• Filtering directly on the C2 IP from a SIEM alert is the fastest path to identifying the infected host’s IP and MAC.
• Kerberos cname fields in authentication traffic expose the domain username of the infected machine.
• SAMR (DCE/RPC) requests to the domain controller can reveal the full display name mapped to a username without needing to crack credentials.
• Enabling Wireshark’s name resolution is a quick win for mapping IPs to hostnames/domains mid-analysis.