Aleph – OpenSource Malware Analysis Pipeline System.

Aleph is designed to pipeline the analysis of malware samples. It has a series of collectors that will gather samples from many sources and shove them into the pipeline. The sample manager has a series of plugins that are ran against the sample and returns found data into JSON form.

These JSON data can be further processed and queried in a objective manner instead of grepping and regexing.

Currently implemented :
– Collectors
— FileCollector: grabs samples from a local directory
— MailCollector: grabs samples from email attachments on a IMAP folder
– Plugins
— PEInfo : extracts info from PE files such as entrypoint, number of sections and some PE characteristics(SEH/ASLR/DEP).
— ZipArchivePlugin: extracts zip files and puts their contents back into analysis queue.
— StringsPlugin: extracts strings from sample into three categories: All Strings, URI Strings and Filename Strings (not 100% but we do our best).
— VirustotalPlugin: check a sample SHA256 hash against Virustotal database and get the report. If that hash doesnt exist, send the file to analise.
— TrID: check the filetype of a sample.

Requirements – In order to get a clean and nice install, you should download some requirements:



Preparing your Enviroment
To have a better organization in your enviroment, we will make the installation of Aleph on /opt/ directory.

Copy the settings file:


First if you don’t have an Elasticsearch instance ready, you must install one.

For a easy installation (already with JVM installation), do:

Ubuntu :

Debian :

Or use the installation guide of ElasticSearch for Debian/Ubuntu/Redhat/Fedora/CentOS (yum + apt basically) users, follow this guide.

** Remember: Elasticsearh uses JVM, so you also must install **

Python modules
We strongly suggest that you use python’s virtual environment so you don’t pollute the rest of your OS installation with python modules. To make a contained virtual environment, install virtualenv with pip:

Go to the desired Aleph installation folder and type the following to create and activate your virtual environment:

There will be the environment name (venv) appended to your PS1 variable:

All python modules required are listed on the requirements.txt file on the root repository folder. You can install all of them at once using pip:

If you wanna change the directory of samples source, edit and add a local source (a folder where Aleph will search for samples), by default we create the “uploads” directory. – WARNING: ALEPH WILL MOVE THE SAMPLE THUS REMOVING FROM THE ORIGINAL FOLDER) The folder must exists as Aleph won’t try to create them

Review your Elasticsearch installation URI

With the virtual enviroment already activated, give the execution permission to bin/ and run it as following:

And that’s it. Check your logs under log/aleph.log to any troubleshooting.

Install the Web interface(Webui)
Edit the “SERVER_NAME” constant at your file. ex: SERVER_NAME = ‘’ Change the following parameters with you own key (A key that only you know):

In another terminal window, activate the virtual enviroment:

Setup your database:

Give the execution permission and run the webui script:

To access your webinterface open your favorite browser at http://SERVER_NAME:5000 #That value you changed before. (By default is http://localhost:5000)

Note: For sake of Security’s God, CHANGE YOUR PASSWORD! IS done!

Download : | Clone Url
Source :