My SIP honeypot is now open source:

https://gitlab.com/bontchev/siphoney

I'm not very happy with the result. I don't understand the protocol well enough (yes, I've read the RFC; it's humongous). The replies of the honeypot are consistent with those of a real Astrisk PBX box where the REGISTER and INVITE requests are password-protected, but I cannot emulate a proper full handshake (INVITE->TRYING->RINGING->OK->RTP data->BYE->ACK). Also, due to the way authentication is done in SIP, I cannot collect the usernames and passwords tried by the attackers (they never cross the wire in plaintext).

Here are some images from the visualization, based on a week's worth of data.

(Note: The visualization is not part of the repo. I've just instructed the honeypot to save the gathered data into a MySQL database and have built a Grafana dashboard based on this data source.)
