AI-powered malware analysis and threat intelligence for Ghidra
A focused suite of helpers for malware analysis and reverse engineering: triage, capability detection, threat intel, string recovery, renaming, and reporting—all from one launcher with a consistent UI and clickable output.
AskJOE 3.0 extends the original AskJOE project from a single AI-powered function analyzer into a full malware analysis suite. Built on Ghidra and LLM integration (OpenAI or Claude), it adds specialized modules for behaviour understanding, threat intelligence, and reverse-engineering workflows—all with a single launcher and shared configuration.
Requirements
Ghidra with Python scripting (PyGhidra; Ghidra 10+).
Python 3.x (the interpreter used by Ghidra for scripts).
Network access for AI-backed tools and threat-intel/sandbox APIs (if enabled).
Install Python dependencies from the project root:
hljs language-bash
pip install -r AskJOE/requirements.txt
Installation
Clone or copy the repo
Put AskJOE.py and the AskJOE/ folder into your Ghidra script directory (e.g. ghidra_scripts), or any path already in Ghidra’s script paths.
Configure API keys and options
Use AskJOE/config.example.ini as a template if provided, or edit AskJOE/config.ini.
Set AI provider, model, and API keys ([AI], [API_KEYS]).
Set threat-intel keys as needed ([VIRUSTOTAL], [OTX], etc.).
Adjust CAPA and other tool options if required.
Run AskJOE in Ghidra
Window > Script Manager > add your script directory if needed.
Find AskJOE.py (e.g. under SecurityJOES).
Double-click to run; the AskJOE window opens.
Main components
Component
Description
AskJOE launcher (AskJOE.py)
Central entry point run from Ghidra’s Script Manager. Opens a tabbed window with Analysis (all tools) and Config (settings from config.ini).
Run AskJOE.py once to open the launcher.
Use the Analysis tab to select and run any tool; results appear in the same window with styled HTML and clickable addresses.
Use the Config tab to adjust API keys and options without editing config.ini by hand.
Tool overview
Tools are grouped below by role. All support clickable addresses in the output where applicable (click to jump in the Listing/Decompiler).
AI and explanation
Tool
Goal
AI Triage
First-pass understanding: likely behaviour, IOCs, ATT&CK-style techniques. Structured HTML report; “light” or “deep” mode in config.ini.
Explain Function
Explains the function at the cursor using decompiler output. Click Run; the result opens in a new window. Tab shows status only.
Ask AI
Chat about the current binary. Presets for malware/vuln research; macros #func, #addr, #strings, #imports. Buttons to create bookmarks and comments from the latest answer.
Renaming and simplification
Tool
Goal
Rename Helper
Rename functions and variables from one window. Uses live Code Browser cursor; Refresh then Suggest; apply selected or all. Handles params, locals, and decompiler-generated names.
Function Simplifier
Simplified view of the decompiled function; syntax-highlighted, IDE-like output.
Capability and threat intelligence
Tool
Goal
CAPA Analysis
Runs Mandiant capa on the binary and imports results into Ghidra (symbols/comments). HTML report in AskJOE style.
Threat Intelligence Analyzer
Aggregates OSINT (VirusTotal, Hybrid Analysis, OTX, Malware Bazaar, Intezer, Any.Run, Triage, X-Force, etc.). Single HTML view; per-service status and rate-limit handling.
Detection and recovery
Tool
Goal
Crypto Detector
Finds crypto-related code and constants (encryption/hashing candidates).
XOR Searcher
Identifies and decodes XOR-obfuscated data; filters noise; clickable addresses. Includes a short “How to read this” legend.
Stack Strings Detector
Recovers stack-constructed strings; table output tuned for malware workflows.
Export
Tool
Goal
Export Report
Lightweight shareable report: merges AI Triage JSON, Threat Intel JSON, and latest CAPA log into a markdown-style HTML report; opens in a window and saves to disk.
Using AskJOE
Opening the launcher
Run AskJOE.py from the Script Manager (or use the keybinding if set, e.g. Ctrl+Shift+J).
The window shows the Analysis tab (tool list + output) and Config tab.
Running any tool (general)
File > Import a binary in Ghidra and wait for analysis.
In AskJOE Analysis, select a tool from the list.
Click Run; results appear in the output pane (HTML, clickable addresses where applicable). For Explain Function, use Refresh first so the current function matches your cursor.
Use Clear output to reset before another run.
AI Triage
Open a binary in Ghidra and run initial analysis.
In Analysis, select AI Triage.
Click Run; the tool produces a first-pass report (behaviour, IOCs, ATT&CK-style techniques).
Review the HTML output; addresses are clickable to jump in the Listing/Decompiler.
Adjust "light" or "deep" mode in Config or config.ini if needed.
Ask AI
Place the cursor in the function or address of interest.
