{
	"id": "c6582da1-6c1b-4e84-812e-3d3577160361",
	"created_at": "2026-04-06T00:20:10.39155Z",
	"updated_at": "2026-04-10T13:12:45.9852Z",
	"deleted_at": null,
	"sha1_hash": "3f55eba8a3b73dcae0c1444d0b5bc98cc8c142b8",
	"title": "Flame: Bunny, Frog, Munch and BeetleJuice…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 242233,
	"plain_text": "Flame: Bunny, Frog, Munch and BeetleJuice…\r\nBy Alexander Gostev\r\nPublished: 2012-05-30 · Archived: 2026-04-05 22:27:59 UTC\r\nAs already mentioned in the previous blog post about Flame, the volume of its code and functionality are so great\r\nthat it will take several months for a complete analysis. We’re planning on continually disclosing in our\r\npublications the most important and interesting details of its functionality as we reveal them.\r\nAt the moment we are receiving many inquiries about how to check systems for a Flame infection. Of course the\r\nsimplest answer, for us, is to advise to use Kaspersky Lab Antivirus or Internet Security. We successfully detect\r\nand delete all possible modifications of the main module and extra components of Flame.\r\nHowever, for those who want to carry out a detailed check themselves, at the end of this article we will give the\r\nnecessary recommendations and advice.\r\nMSSECMGR.OCX\r\nThe main module of Flame is a DLL file called mssecmgr.ocx. We’ve discovered two modifications of this\r\nmodule. Most of the infected machines contained its “big” version, 6 Mb in size, and carrying and deploying\r\nadditional modules. The smaller version’s size is only 900 Kb and contains no additional modules. After\r\ninstallation, the small module connects to one of the C\u0026C servers and tries to download and install the remaining\r\ncomponents from there.\r\nMssecmgr may be called different names on actual infected machines, depending on the method of infection and\r\nthe current internal state of the malware (installation, replication, upgrade), e.g., wavesup3.drv, ~zff042.ocx,\r\nmsdclr64.ocx, etc.\r\nComplete analysis of the mssecmgr module will follow in our upcoming blog posts.\r\nThe first activation of this file is initiated by one of the external features – either Windows WMI tools using a\r\nMOF file if the MS10-061 exploit is used, or using a BAT file:\r\ns1 = new ActiveXObject(“Wscript.Shell”);\r\ns1.Run(“%SYSTEMROOT%system32rundll32.exe msdclr64.ocx,DDEnumCallback”);\r\n(source code of MOF file, svchostevt.mof)\r\nWhen activated, mssecmgr registers itself as a custom authentication package in the Windows registry:\r\nHKLM_SYSTEMCurrentControlSetControlLsa\r\nAuthentication Packages = mssecmgr.ocx [added to existing entries]\r\nOn the next system boot, the module is loaded automatically by the operating system.\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 1 of 7\n\nAfter updating the Windows registry, mssecmgr extracts any additional modules that are present in its encrypted\r\nand compressed resource section (resource “146”) and installs them. The resource is a dictionary that contains\r\nconfiguration options for mssecmgr and other modules, the modules themselves (DLL files), and parameters that\r\nneed to be passed to these modules to load them properly, i.e., decryption keys.\r\nWe are analyzing the additional modules and will provide more information about their functionality in coming\r\nblog posts.\r\nWhen installation is completed, mssecmgr loads available modules and starts several execution threads that\r\nimplement a channel to the C\u0026C servers and Lua interpreter host, and other features – depending on the\r\nconfiguration. The functionality of the module is separated into different “units” that have different namespaces in\r\nthe configuration resource and have distinct names in log messages, which are extensively used throughout the\r\ncode.\r\nHere is a brief overview of the available units. The names were extracted from the binary and the 146 resource.\r\nBeetlejuice\r\nBluetooth: enumerates devices around the infected machine.\r\nMay turn itself into a “beacon”: announces the computer as a discoverable device and\r\nencode the status of the malware in device information using base64.\r\nMicrobe\r\nRecords audio from existing hardware sources. Lists all multimedia devices, stores\r\ncomplete device configuration, tries to select suitable recording device.\r\nInfectmedia\r\nSelects one of the methods for infecting media, i.e. USB disks. Available methods:\r\nAutorun_infector, Euphoria.\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 2 of 7\n\nAutorun_infector\r\nCreates “autorun.inf” that contains the malware and starts with a custom “open”\r\ncommand. The same method was used by Stuxnet before it employed the LNK exploit.\r\nEuphoria\r\nCreate a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and\r\nLINK2 entries of resource 146 (were not present in the resource file). The directory acts\r\nas a shortcut for launching Flame.\r\nLimbo\r\nCreates backdoor accounts with login “HelpAssistant” on the machines within the\r\nnetwork domain if appropriate rights are available.\r\nFrog\r\nInfect machines using pre-defined user accounts. The only user account specified in the\r\nconfiguration resource is “HelpAssistant” that is created by the “Limbo” attack.\r\nMunch HTTP server that responds to “/view.php” and “/wpad.dat” requests.\r\nSnack\r\nListens on network interfaces, receives and saves NBNS packets in a log file. Has an\r\noption to start only when “Munch” is started. Collected data is then used for replicating\r\nby network.\r\nBoot_dll_loader\r\nConfiguration section that contains the list of all additional modules that should be\r\nloaded and started.\r\nWeasel Creates a directory listing of the infected computer.\r\nBoost Creates a list of “interesting” files using several filename masks.\r\nTelemetry Logging facilities\r\nGator\r\nWhen an Internet connection becomes available, it connects to the C\u0026C servers,\r\ndownloads new modules, and uploads collected data.\r\nSecurity\r\nIdentifies programs that may be hazardous to Flame, i.e., anti-virus programs and\r\nfirewalls.\r\nBunny\r\nDbquery\r\nDriller\r\nHeadache\r\nGadget\r\nThe purpose of these modules is not yet known.\r\nAdditional modules are installed in the %windir%system32 directory:\r\nmssecmgr.ocx\r\nadvnetcfg.ocx\r\nmsglu32.ocx\r\nnteps32.ocx\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 3 of 7\n\nsoapr32.ocx\r\nccalc32.sys\r\nboot32drv.sys\r\nAdditional modules downloaded from the C\u0026C servers are installed in the same directory.\r\nThe modules of the Flame malware produce a lot of data files that contain extensive execution logs, plus the\r\ncollected information – screenshots, lists of processes, hardware listings, etc.\r\nThe files are saved in the %windir%temp directory using following names:\r\n~DEB93D.tmp\r\n~8C5FF6C.tmp\r\n~DF05AC8.tmp\r\n~DFD85D3.tmp\r\n~DFL*.tmp\r\n~dra*.tmp\r\n~fghz.tmp\r\n~HLV*.tmp\r\n~KWI988.tmp\r\n~KWI989.tmp\r\n~rei524.tmp\r\n~rei525.tmp\r\n~rf288.tmp\r\n~rft374.tmp\r\n~TFL848.tmp\r\n~TFL849.tmp\r\n~mso2a0.tmp\r\n~mso2a1.tmp\r\n~mso2a2.tmp\r\nsstab*.dat\r\nThere are also optional files that can be found in the %windir%system32 directory:\r\nAdvpck.dat\r\nntaps.dat\r\nRpcnc.dat\r\nAlso, in %windir%:\r\nEf_trace.log\r\nFlame stores its persistent data in files using different formats. All data is encrypted using several algorithms and\r\nkeys. Some of the files are databases created using a built-in SQLite3 library. These databases contain data\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 4 of 7\n\nproduced by both data stealing and replication routines. We will provide more information about these files in\r\nlater publications.\r\nThe directory names used by the additional components of Flame may differ slightly depending on the type of\r\ninstallation and the configuration options from resource 146:\r\nC:Program FilesCommon FilesMicrosoft SharedMSSecurityMgr\r\nC:Program FilesCommon FilesMicrosoft SharedMSAudio\r\nC:Program FilesCommon FilesMicrosoft SharedMSAuthCtrl\r\nC:Program FilesCommon FilesMicrosoft SharedMSSndMix\r\nThese directories may contain the following files:\r\ndstrlog.dat\r\nlmcache.dat\r\nmscrypt.dat (or wpgfilter.dat)\r\nntcache.dat\r\nrccache.dat (or audfilter.dat)\r\nssitable (or audache)\r\nsecindex.dat\r\nwavesup3.drv (a copy of the main module, mssecmgr.ocx, in the MSAudio directory)\r\nFlame can also produce or download files with the following names:\r\nsvchost1ex.mof\r\nSvchostevt.mof\r\nfrog.bat\r\nnetcfgi.ocx\r\nauthpack.ocx\r\n~a29.tmp\r\nrdcvlt32.exe\r\nto961.tmp\r\nauthcfg.dat\r\nWpab32.bat\r\nctrllist.dat\r\nwinrt32.ocx\r\nwinrt32.dll\r\nscsec32.exe\r\ngrb9m2.bat\r\nwinconf32.ocx\r\nwatchxb.sys\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 5 of 7\n\nsdclt32.exe\r\nscaud32.exe\r\npcldrvx.ocx\r\nmssvc32.ocx\r\nmssui.drv\r\nmodevga.com\r\nindsvc32.ocx\r\ncomspol32.ocx\r\ncomspol32.dll\r\nbrowse32.ocx\r\nAs a consequence, we can provide a method for a quick “manual” check of your systems for presence of a Flame\r\ninfection:\r\n1. Perform a search for the file ~DEB93D.tmp. Its presence on a system means that it either is or has been\r\ninfected by Flame.\r\n2. Check the registry key HKLM_SYSTEMCurrentControlSetControlLsa\r\nAuthentication Packages.\r\nIf you find mssecmgr.ocx or authpack.ocx in there – you are infected with Flame.\r\n3. Check for the presence of the following catalogs. If present – you’re infected.\r\nC:Program FilesCommon FilesMicrosoft SharedMSSecurityMgr\r\nC:Program FilesCommon FilesMicrosoft SharedMSAudio\r\nC:Program FilesCommon FilesMicrosoft SharedMSAuthCtrl\r\nC:Program FilesCommon FilesMicrosoft SharedMSSndMix\r\n4. Conduct a search for the rest of the filenames given above. All of them are quite unique and their being\r\ndiscovered would mean that there is a strong possibility of an infection with Flame.\r\nP.S. We have checked the information as suggested in the comments at our blogpost regarding a possible relation\r\nto FLAME (Flexible Lightweight Active Measurement Environment) software from Brazil.\r\nInterestingly, the name picked by us fully matches that software, which also uses LUA for implementing business\r\nlogics. The FLAME software is used to measure network characteristics by deploying measurement agents and\r\ncollecting data in a central database. Despite some similarities, we think that this software is unrelated as it serves\r\ndifferent objectives. Besides the LUA engine, the core of communication in FLAME is XMPP protocol, which is\r\nnot used in the Flame malware.\r\nThe authors might have been inspired by the FLAME project and re-implemented similar architecture – only for\r\nthe different goal, or this is all just a coincidence. We don’t have any other reason to think that it is somehow\r\nrelated to the Flame malware.\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 6 of 7\n\nSource: https://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nhttps://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/flame-bunny-frog-munch-and-beetlejuice-2/32855/"
	],
	"report_names": [
		"32855"
	],
	"threat_actors": [],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f55eba8a3b73dcae0c1444d0b5bc98cc8c142b8.pdf",
		"text": "https://archive.orkl.eu/3f55eba8a3b73dcae0c1444d0b5bc98cc8c142b8.txt",
		"img": "https://archive.orkl.eu/3f55eba8a3b73dcae0c1444d0b5bc98cc8c142b8.jpg"
	}
}