modiloader | 8082e718969af2293684439e3f84a10be82cfbd87f440fe9e6b9e9ea77e7ec08

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
Size

617KB
MD5

e4c2640fbf0c15347e3de103b6ac415f
SHA1

066f2f7dbb3372109566e106b4dd3a3e68bb3d7c
SHA256

8082e718969af2293684439e3f84a10be82cfbd87f440fe9e6b9e9ea77e7ec08
SHA512

3999902f1bdc10d4a735e6857623e6f424cf3b6dc2d8f62ee27d1f5d1192b92b8aad325029a086b60df894e0bf633a14764634d0a88f7a6cf3e2c7846d826d93
SSDEEP

12288:9NYy0/pb2ZuA0kNVe3OJK1C8UJ7Bqc4AD9Y12WzX5FPMDv2disRfdi2:Qy0Rb2X0kNqOsw8WE75tY+disRY2

Score

10^/10

modiloader discovery evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mspc32.exe

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2952-45-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-111-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-108-0x0000000000400000-0x0000000000453000-memory.dmp	modiloader_stage2
behavioral1/memory/1692-407-0x00000000020A0000-0x00000000020B0000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2152	fade7at-ameera-s3odeya-part2,3,4---------.exe
2952	TempServices.exe
1692	mspc32.exe

Loads dropped DLL 5 IoCs

pid	Process
2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
2152	fade7at-ameera-s3odeya-part2,3,4---------.exe
2152	fade7at-ameera-s3odeya-part2,3,4---------.exe
2952	TempServices.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015cd1-22.dat	upx
behavioral1/memory/2152-24-0x00000000032F0000-0x0000000003343000-memory.dmp	upx
behavioral1/memory/1692-46-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2952-45-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1692-111-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1692-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1692-407-0x00000000020A0000-0x00000000020B0000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TempServices.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mspc32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mspc32.exe	TempServices.exe
File created	C:\Windows\olecstp.dll	mspc32.exe
File created	C:\Windows\oletac.dll	mspc32.exe
File created	C:\Windows\mspc32.exe	TempServices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fade7at-ameera-s3odeya-part2,3,4---------.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspc32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2220	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2220	vlc.exe
Token: SeIncBasePriorityPrivilege	2220	vlc.exe
Token: SeDebugPrivilege	2952	TempServices.exe
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeDebugPrivilege	1692	mspc32.exe
Token: SeDebugPrivilege	1692	mspc32.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2952	TempServices.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe
2220	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2152	fade7at-ameera-s3odeya-part2,3,4---------.exe
2220	vlc.exe
1692	mspc32.exe
1692	mspc32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2152	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2152	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2152	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2152	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2220	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2220	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2220	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2220	2420	e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2952	2152	fade7at-ameera-s3odeya-part2,3,4---------.exe	32
PID 2152 wrote to memory of 2952	2152	fade7at-ameera-s3odeya-part2,3,4---------.exe	32
PID 2152 wrote to memory of 2952	2152	fade7at-ameera-s3odeya-part2,3,4---------.exe	32
PID 2152 wrote to memory of 2952	2152	fade7at-ameera-s3odeya-part2,3,4---------.exe	32
PID 2952 wrote to memory of 1692	2952	TempServices.exe	36
PID 2952 wrote to memory of 1692	2952	TempServices.exe	36
PID 2952 wrote to memory of 1692	2952	TempServices.exe	36
PID 2952 wrote to memory of 1692	2952	TempServices.exe	36

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mspc32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4c2640fbf0c15347e3de103b6ac415f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\fade7at-ameera-s3odeya-part2,3,4---------.exe
  "C:\Users\Admin\AppData\Local\Temp\fade7at-ameera-s3odeya-part2,3,4---------.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\TempServices.exe
    "C:\Users\Admin\AppData\Local\TempServices.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\mspc32.exe
      "C:\Windows\mspc32.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1692
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\01.3gp"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mspc32.lnk

Filesize
769B

MD5
f7240867bc08c0660465b5d072613dac

SHA1
bcde945bd86a06243894eac84afd1b0b874995cf

SHA256
5b34504cc4ff088db230b3e51e55e001d856f00a72a8e62a468efc577c3af968

SHA512
04b0eb406b5d6f2cab58dc71c7146a4fb9d2549db51554da1315fbbea6ac536fef92bbaeead2857698cebe3a9333e30520c043e17c9dbde8f98c9aaa1e5601d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\01.3gp

Filesize
466KB

MD5
7fa0a29cfcfdd13a389b874471e4d128

SHA1
0deddd8943e8a96171596475b39d1b3c86221a79

SHA256
20321a96150af0b155067a731b3ea8ab6c92ce2c3c5c72e2c7a24a29efb1d982

SHA512
b4558c44d07c38246ebb4c72b9a32d1a530fd830252207f85c16eae90630063e8a295e54edc715d049da23dfc7e321ffbdee11dec3346a2ef604add27f9b1f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\fade7at-ameera-s3odeya-part2,3,4---------.exe

Filesize
133KB

MD5
6e46272917c572ad07a72d5f5950b739

SHA1
e88d6d6d28705e3212c8949df0e1f96699de2d2a

SHA256
44ce4cd49c1cae00bcd63101e6e1303c24f6b3727bb9b69ac48940e5af50e564

SHA512
f4a74a8c74c81d251101aaaa73da22be12d43015c2856eac9ba7c263465d893a1b9c98e362e36fd3f23fb85a8bd6dcd9e1357cd8397f6dc3ddf9c38986d9666d

Download Submit
\Users\Admin\AppData\Local\TempServices.exe

Filesize
113KB

MD5
561d40c832e2e51b9af464226cbe0ea9

SHA1
5e2323b64959d3815433e3e51a7dd980f323ef5f

SHA256
e1895ea0f152aaedb08d0e3f9e0420f03f1bd538885b3556588bdb95b66350ce

SHA512
7f0285f1920c41d3c0a4196376d95aecfba3a16fb366d1751102ab69e7bcc0d9101c9e5236e1347df842c3f88dce21d47d67364b73422e65cb9969b2a56db8be

Download Submit
memory/1692-288-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1692-407-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1692-110-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/1692-814-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1692-698-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1692-640-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1692-581-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1692-52-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/1692-465-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1692-111-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-346-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1692-46-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-229-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1692-171-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1692-112-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1692-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-109-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/2152-24-0x00000000032F0000-0x0000000003343000-memory.dmp

Filesize
332KB

Download
memory/2152-28-0x00000000032F0000-0x0000000003343000-memory.dmp

Filesize
332KB

Download
memory/2220-86-0x000007FEF3660000-0x000007FEF36AD000-memory.dmp

Filesize
308KB

Download
memory/2220-98-0x000007FEF2800000-0x000007FEF2811000-memory.dmp

Filesize
68KB

Download
memory/2220-73-0x000007FEF71C0000-0x000007FEF71D1000-memory.dmp

Filesize
68KB

Download
memory/2220-74-0x000007FEF71A0000-0x000007FEF71B8000-memory.dmp

Filesize
96KB

Download
memory/2220-75-0x000007FEF7170000-0x000007FEF71A0000-memory.dmp

Filesize
192KB

Download
memory/2220-76-0x000007FEF6D10000-0x000007FEF6D77000-memory.dmp

Filesize
412KB

Download
memory/2220-70-0x000007FEF7DC0000-0x000007FEF7DD1000-memory.dmp

Filesize
68KB

Download
memory/2220-64-0x000007FEF5590000-0x000007FEF6640000-memory.dmp

Filesize
16.7MB

Download
memory/2220-77-0x000007FEF6C90000-0x000007FEF6D0C000-memory.dmp

Filesize
496KB

Download
memory/2220-78-0x000007FEF7150000-0x000007FEF7161000-memory.dmp

Filesize
68KB

Download
memory/2220-79-0x000007FEF5320000-0x000007FEF5377000-memory.dmp

Filesize
348KB

Download
memory/2220-80-0x000007FEF51A0000-0x000007FEF5320000-memory.dmp

Filesize
1.5MB

Download
memory/2220-81-0x000007FEF6C70000-0x000007FEF6C87000-memory.dmp

Filesize
92KB

Download
memory/2220-82-0x000007FEF3930000-0x000007FEF519F000-memory.dmp

Filesize
24.4MB

Download
memory/2220-84-0x000007FEF3700000-0x000007FEF3712000-memory.dmp

Filesize
72KB

Download
memory/2220-83-0x000007FEF3720000-0x000007FEF3926000-memory.dmp

Filesize
2.0MB

Download
memory/2220-85-0x000007FEF36B0000-0x000007FEF36F2000-memory.dmp

Filesize
264KB

Download
memory/2220-72-0x000007FEF7D80000-0x000007FEF7D9B000-memory.dmp

Filesize
108KB

Download
memory/2220-87-0x000007FEF34F0000-0x000007FEF365B000-memory.dmp

Filesize
1.4MB

Download
memory/2220-88-0x000007FEF3490000-0x000007FEF34E7000-memory.dmp

Filesize
348KB

Download
memory/2220-91-0x000007FEF3210000-0x000007FEF323F000-memory.dmp

Filesize
188KB

Download
memory/2220-93-0x000007FEF2E50000-0x000007FEF2E65000-memory.dmp

Filesize
84KB

Download
memory/2220-89-0x000007FEF3240000-0x000007FEF3481000-memory.dmp

Filesize
2.3MB

Download
memory/2220-92-0x000007FEF31F0000-0x000007FEF3201000-memory.dmp

Filesize
68KB

Download
memory/2220-90-0x000007FEFB860000-0x000007FEFB870000-memory.dmp

Filesize
64KB

Download
memory/2220-95-0x000007FEF2B80000-0x000007FEF2B95000-memory.dmp

Filesize
84KB

Download
memory/2220-94-0x000007FEF2BA0000-0x000007FEF2E50000-memory.dmp

Filesize
2.7MB

Download
memory/2220-96-0x000007FEF2B50000-0x000007FEF2B73000-memory.dmp

Filesize
140KB

Download
memory/2220-97-0x000007FEF2B30000-0x000007FEF2B43000-memory.dmp

Filesize
76KB

Download
memory/2220-71-0x000007FEF7DA0000-0x000007FEF7DB1000-memory.dmp

Filesize
68KB

Download
memory/2220-99-0x000007FEF2790000-0x000007FEF27F1000-memory.dmp

Filesize
388KB

Download
memory/2220-100-0x000007FEF2740000-0x000007FEF2787000-memory.dmp

Filesize
284KB

Download
memory/2220-101-0x000007FEF26C0000-0x000007FEF2734000-memory.dmp

Filesize
464KB

Download
memory/2220-102-0x000007FEF2270000-0x000007FEF22A4000-memory.dmp

Filesize
208KB

Download
memory/2220-104-0x000007FEF2250000-0x000007FEF2262000-memory.dmp

Filesize
72KB

Download
memory/2220-103-0x000007FEF2550000-0x000007FEF2561000-memory.dmp

Filesize
68KB

Download
memory/2220-106-0x000007FEF2210000-0x000007FEF2223000-memory.dmp

Filesize
76KB

Download
memory/2220-107-0x000007FEF21F0000-0x000007FEF2204000-memory.dmp

Filesize
80KB

Download
memory/2220-105-0x000007FEF1CF0000-0x000007FEF1E6A000-memory.dmp

Filesize
1.5MB

Download
memory/2220-69-0x000007FEF7DE0000-0x000007FEF7DF1000-memory.dmp

Filesize
68KB

Download
memory/2220-68-0x000007FEF7E00000-0x000007FEF7E18000-memory.dmp

Filesize
96KB

Download
memory/2220-67-0x000007FEF7E20000-0x000007FEF7E41000-memory.dmp

Filesize
132KB

Download
memory/2220-66-0x000007FEF7EC0000-0x000007FEF7F01000-memory.dmp

Filesize
260KB

Download
memory/2220-65-0x000007FEF5380000-0x000007FEF558B000-memory.dmp

Filesize
2.0MB

Download
memory/2220-115-0x000007FEF6640000-0x000007FEF68F6000-memory.dmp

Filesize
2.7MB

Download
memory/2220-63-0x000007FEF8050000-0x000007FEF8061000-memory.dmp

Filesize
68KB

Download
memory/2220-62-0x000007FEFB220000-0x000007FEFB23D000-memory.dmp

Filesize
116KB

Download
memory/2220-61-0x000007FEFB240000-0x000007FEFB251000-memory.dmp

Filesize
68KB

Download
memory/2220-60-0x000007FEFB260000-0x000007FEFB277000-memory.dmp

Filesize
92KB

Download
memory/2220-58-0x000007FEFB310000-0x000007FEFB327000-memory.dmp

Filesize
92KB

Download
memory/2220-59-0x000007FEFB280000-0x000007FEFB291000-memory.dmp

Filesize
68KB

Download
memory/2220-56-0x000007FEF6640000-0x000007FEF68F6000-memory.dmp

Filesize
2.7MB

Download
memory/2220-57-0x000007FEFC1B0000-0x000007FEFC1C8000-memory.dmp

Filesize
96KB

Download
memory/2220-55-0x000007FEFB2A0000-0x000007FEFB2D4000-memory.dmp

Filesize
208KB

Download
memory/2220-54-0x000000013F920000-0x000000013FA18000-memory.dmp

Filesize
992KB

Download
memory/2420-10-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2952-37-0x0000000004050000-0x0000000004060000-memory.dmp

Filesize
64KB

Download
memory/2952-45-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-43-0x0000000004050000-0x00000000040A3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads