Threat Research

TINKYWINKEY KEYLOGGER

Cyfirma
TINKYWINKEY KEYLOGGER

TinkyWinkey is a Windows keylogger composed of a service (svc.exe) and a keylogger payload (winkey.exe / keylogger.dll) that achieves persistence via a Windows service, injects a DLL into trusted processes, and captures keystrokes (including Unicode and media keys) alongside detailed system profiling. First observed June 24–25, 2025, components detected include svc.exe, winkey.exe, and keylogger.dll with corresponding SHA-256 hashes. #TinkyWinkey #svc.exe #winkey.exe #keylogger.dll

Keypoints

  • TinkyWinkey uses a dual-component design: a Windows service (Tinky/svc.exe) that manages lifecycle and launches the keylogger payload in the active user session.
  • The keylogger (winkey.exe / keylogger.dll) installs low-level keyboard hooks (WH_KEYBOARD_LL) to capture all keystrokes, including special keys, media keys, and Unicode across multiple keyboard layouts.
  • It performs extensive system reconnaissance: CPU vendor/brand via CPUID, OS version via RtlGetVersion, RAM via GlobalMemoryStatusEx, and local IP via Winsock functions.
  • Persistence and stealth are achieved through automatic service registration, CreateProcessAsUser to run in user context, hidden windows (SW_HIDE), and DLL injection into trusted processes (explorer.exe) using VirtualAllocEx/WriteProcessMemory/CreateRemoteThread/LoadLibraryW.
  • Logs are written to a temp file (Logs_tw.txt / logs_tw.txt) in UTF-8 with timestamps and foreground window tracking (WinEventHook EVENT_SYSTEM_FOREGROUND) to correlate keystrokes with application context.
  • Static and dynamic behaviors include reliable payload verification, error/status logging by the loader, and cleanup of hooks on exit to reduce instability and detection artifacts.
  • Detected IOCs include three SHA-256 hashes for svc.exe, winkey.exe, and keylogger.dll; YARA rule provided for detection by SHA-256.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – used for execution and service lifecycle management (report lists T1059 under Execution).
  • [T1129 ] Shared Modules – shared components usage for keylogger DLL and loader coordination (“Shared Modules” listed in Execution).
  • [T1569.002 ] Service Execution – service is registered and used to launch winkey.exe in user session (“svc.exe registers a malicious Windows service named ‘Tinky’… automatic startup type”).
  • [T1218.011 ] System Binary Proxy Execution: Rundll32 – referenced as a technique in the report under Execution/Defense Evasion (T1218.011 appears in MITRE list).
  • [T1543.003 ] Create or Modify System Process: Windows Service – the malware creates/modifies a Windows service named “Tinky” for persistence (“svc.exe registers a malicious Windows service named ‘Tinky’… automatic startup”).
  • [T1055.003 ] Process Injection: Thread Execution Hijacking – loader performs DLL injection into explorer.exe using VirtualAllocEx, WriteProcessMemory, CreateRemoteThread/LoadLibraryW (“loader allocates memory inside the target process… creates a remote thread”).
  • [T1620 ] Reflective Code Loading – listed under Defense Evasion in the MITRE mapping as used by the malware (T1620 in framework list).
  • [T1497 ] Virtualization/Sandbox Evasion – included in MITRE mapping as a defense evasion technique used by the sample (“T1497 Virtualization/Sandbox Evasion”).
  • [T1057 ] Process Discovery – the malware enumerates processes to find target PID like explorer.exe (“FindTargetPID identifies PID of the target process (explorer.exe)”).
  • [T1082 ] System Information Discovery – collects OS version via RtlGetVersion and other system info (“get_windows_info() leverages RtlGetVersion… collects OS version, build number”).
  • [T1083 ] File and Directory Discovery – accesses temp directory via GetTempPathW and ensures log/payload existence (“retrieves system’s temporary directory by calling GetTempPathW()… verifies keylogger.dll exists”).
  • [T1518 ] Software Discovery – collects installed software information (listed under Discovery in MITRE table).
  • [T1518.001 ] Security Software Discovery – listed in MITRE mapping as software/security discovery activity.
  • [T1614.001 ] System Location Discovery: System Language – tracks keyboard layout changes and logs HKL to identify language (“monitors the active keyboard layout (HKL) … logs the new layout”).
  • [T1056.001 ] Input Capture: Keylogging – captures keystrokes via low-level keyboard hook WH_KEYBOARD_LL and logs characters and special keys (“installs a low-level keyboard hook (WH_KEYBOARD_LL) that captures all keystrokes”).
  • [T1489 ] Service Stop – listed under Impact for potential service stop activity (T1489 in MITRE table).

Indicators of Compromise

  • [File Hash ] Malware components – fe6a696e7012696f2e94a4d31b2f076f32c71d44e4c3cec69a6984ef0b81838a (svc.exe), 7834a64c39f85db5f073d76ddb453c5e23ad18244722d6853986934b750259fd (winkey.exe)
  • [File Hash ] Malicious DLL – eb6752e60170199e4ce4d5de72fb539f807332771e1a668865aac1eee2c01d93 (keylogger.dll)
  • [File Name ] Log file – temporary log file names used by malware: Logs_tw.txt / logs_tw.txt written to %TEMP% (context: persistent keystroke and system logs)
  • [Service Name ] Persistence – Windows service named “Tinky” created by svc.exe with automatic startup (context: service-based persistence)
  • [Process Name ] Injection target – explorer.exe identified as target for DLL injection (context: loader finds PID of explorer.exe for remote injection)

Read more: https://www.cyfirma.com/research/tinkywinkey-keylogger/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint