Rig Exploit Kit from 5.200.35.189 sends Bot [Updated]

NOTES:
Today I saw a Flash Exploit which appears to be sending Bot malware. At present I was unable to complete the infection chain but did capture payload and associated traffic. I am unable to classify as to which flash exploit kit.

UPDATE:
Emerging Threats rules set is identifying the flash exploit as the Rig Exploit Kit.

Shown above: Snort with Emerging Threats rule set

 

ASSOCIATED DOMAINS:

  • 217.76.132.186 – talleresruiz.com – Redirect to LANDING PAGE
  • 5.200.35.189 – fe.wildwood-suites.com – GET /?xH6 – Rig EK LANDING PAGE

 

IMAGES and DETAILS:

Shown above: Compromised site and first redirect page

 

Shown above: document.write redirect to Exploit landing page

 

Shown above: Packet capture of redirect page to Exploit landing page

 

Shown above: Packet 1280 shows flash exploit and packet 2010 shows payload delivery

 

Shown above: Payload delivery from packet 2010

 

Shown above: During infection chain presented with pop-up to run batch file

 

MALICIOUS PAYLOAD FROM EXPLOIT: